pfSense

Sure go ahead.

Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.

Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?

there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots

Thomas NOEL wrote:

Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.

Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?

Dear All,

I'm sorry if I have wrote in the wrong place...

I write for asking a support in order to include OAuth2 in pfSense CP. I don't catch the point how I can simulate on virtual environment the callback URI with private IP addresses?

Do you know some workaround for having (i.e https://cpfsense:8001/index.php as valid callback URI.

(pfsense= 192.100.xxx.xxx)

Error message by Google OAuth2 Login:

Invalid parameter value for redirect_uri: Non-public domains not allowed: https://pfsense:8001/index.php

I'm starting my project from https://github.com/entrouvert/pfsense/tree/RELENG_2_1 but I'm not able to test in virtualbox!
Any help is appreciate.
cheers
Simon

Chris Buechler wrote:

there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots

Pls can I get a link to download an ISO that has the oauth option for authentication?

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

[...]

Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.

Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".

I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.

Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...

News about this topic???

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.

Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)

Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!

Best regards
Kristian

Kristian Junkov wrote:

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.

Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)

Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!

Best regards
Kristian

My preference is to keep this limited to CP for now.

That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.

My preference is to keep this limited to CP for now.

That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.

Thanks! I have made a separate feature request here: https://redmine.pfsense.org/issues/6742

BR Kristian

is there further developments on the above feature radius with oauth backend to support google apps id it will be very nice feature i will give +1

We would like to setup a captive portal with an authentication server that supports type oauth2. At the moment it's only possible to choose between LDAP or RADIUS.
If that could be possible, an integration with Office 365 or Google Workspace or ... is just a few clicks away.
Vote +1