Feature #3377
open
OAuth2 authentication in captive portal
0%
Description
In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.
My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.
O RADIUS Authentication
Radius Protocol
O PAP
O CHAP_MD5
O MSCHAPv1
O MSCHAPv2
O OAuth2 Authentication
OAuth2 accepted providers
[ ] Amazon
[ ] BitLy
[ ] Box
[ ] Dailymotion
[ ] Dropbox
[ ] Facebook
[ ] Foursquare
[ ] GitHub
[ ] Google
[ ] Heroku
[ ] Instagram
[ ] LinkedIn
[ ] Microsoft
[ ] PayPal
[ ] RunKeeper
[ ] SoundCloud
[ ] Vkontakte
[ ] Yammer
[ ] Reddit
[ ] Local1
[ ] Local2
Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.
Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".
I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.
Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...
Updated by Ermal Luçi
Updated by Thomas NOEL over 10 years ago
Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.
Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?
Updated by Chris Buechler over 10 years ago
there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots
Updated by simon mitnick over 9 years ago
Thomas NOEL wrote:
Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?
Dear All,
I'm sorry if I have wrote in the wrong place...
I write for asking a support in order to include OAuth2 in pfSense CP. I don't catch the point how I can simulate on virtual environment the callback URI with private IP addresses?
Do you know some workaround for having (i.e https://cpfsense:8001/index.php as valid callback URI.
(pfsense= 192.100.xxx.xxx)
Error message by Google OAuth2 Login:
Invalid parameter value for redirect_uri: Non-public domains not allowed: https://pfsense:8001/index.php
I'm starting my project from https://github.com/entrouvert/pfsense/tree/RELENG_2_1 but I'm not able to test in virtualbox!
Any help is appreciate.
cheers
Simon
Updated by bamidele Amire almost 9 years ago
Chris Buechler wrote:
there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots
Pls can I get a link to download an ISO that has the oauth option for authentication?
Updated by Cleber Ronaldo over 7 years ago
Thomas NOEL wrote:
In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.
My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.
[...]
Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.
Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".
I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.
Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...
News about this topic???
Updated by Jim Thompson over 7 years ago
- Assignee set to Jim Thompson
- Target version changed from Future to 2.4.0
Cleber Ronaldo wrote:
Thomas NOEL wrote:
In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.
My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.
[...]
Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.
Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".
I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.
Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...
News about this topic???
Looks straight-forward to add. Just ran across this.
Updated by Kristian Junkov over 7 years ago
Thomas NOEL wrote:
In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.
My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.
Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.
Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)
Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!
Best regards
Kristian
Updated by Jim Thompson over 7 years ago
Kristian Junkov wrote:
Thomas NOEL wrote:
In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.
My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.
Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.
Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)
Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!
Best regards
Kristian
My preference is to keep this limited to CP for now.
That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.
Updated by Kristian Junkov over 7 years ago
My preference is to keep this limited to CP for now.
That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.
Thanks! I have made a separate feature request here: https://redmine.pfsense.org/issues/6742
BR Kristian
Updated by Jim Pingle almost 7 years ago
- Target version changed from 2.4.0 to 2.4.1
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.1 to 2.4.2
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.2 to 2.4.3
Updated by Ponvannan Sankaran over 6 years ago
is there further developments on the above feature radius with oauth backend to support google apps id it will be very nice feature i will give +1
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.3 to 2.4.4
Updated by Jim Pingle about 5 years ago
- Target version changed from 48 to 2.5.0
Updated by Anonymous over 3 years ago
- Target version changed from 2.5.0 to Future
Updated by Tom Peeters over 1 year ago
We would like to setup a captive portal with an authentication server that supports type oauth2. At the moment it's only possible to choose between LDAP or RADIUS.
If that could be possible, an integration with Office 365 or Google Workspace or ... is just a few clicks away.
Vote +1