cyberdem0n / pam-oauth2 Goto Github PK
View Code? Open in Web Editor NEWOAuth2 pam module
License: MIT License
OAuth2 pam module
License: MIT License
Hi,
I am trying SSH to a server using this PAM module.
keycloak server Token end point is http://localhost:8080/auth/realms/demo/protocol/openid-connect/token
do you have any example PAM configuration for using keycloak for authentication.
Thanks and regards,
Adishesh
Hello! I have issue with two users with the same passwords. Without sending login authentication failed for one of the user.
Hey, could you add some examples, how to use it? E.g. for Github/Gitlab, Google, Microsoft aso.
$ make
cc -Wall -fPIC -ansi -pedantic -c -o pam_oauth2.o pam_oauth2.c
pam_oauth2.c: In function ‘pam_sm_authenticate’:
pam_oauth2.c:195:12: warning: ISO C90 forbids variable length array ‘ct’ [-Wvla]
195 | struct check_tokens ct[argc];
| ^~~~~~~~~~~~
cc -shared pam_oauth2.o -lcurl -o pam_oauth2.so
Hello, first of all: Thank you for your work on this project.
I'm still learning PAM and have been experimenting with this module for a few hours now. Unfortunately I am not able to get it working. Maybe I am misunderstanding something and you can point in the right direction.
I set up the module in the PAM config and placed it above pam_localuser.so. I can see from the logs that the module is working but I keet getting 4xx errors from my Keycloak instance. I added some more syslog calls and found that the access_token I pass during login is incomplete: strlen reports that it has 1023 characters while the one I pass during login has 1555 characters. Therefore Keycloak fails during the request to the info endpoint.
I did my tests using SSH and thought I'm supposed to pass the token where I normally enter a password. Is that my mistake?
Thanks for your help :)
Hello, does it work with OAuth1.0a? Thank you
Hi!
Trying to use pam-oauth2 module. My common-auth has:
auth sufficient pam_oauth2.so "https://www.googleapis.com/admin/directory/v1/users?access_token=geghshgklhwreiuhgwierhgwiue&domain=aaa.bbb" primaryEmail suspended=false
account sufficient pam_oauth2.so
And log tells me:
Nov 9 15:31:42 vagrant sshd[4384]: pam_oauth2: failed to perform curl request
What I am doing wrong?
Url is working through curl. I have checked without quotes - same error:(
I was trying to set this up to authenticate against Keycloak's token endpoint and discovered that it seems to be hard coded to use GET requests w hile the API I have requires the secrets be passed in POST data. I can construct a working query via curl
that returns something I think will be processed okay, but when I setup PAM to do the same thing with this module I can only figure out how to get a GET request out.
Comments in #3 which also mentions Keycloak suggest using a different project pam-exec-oauth2 which seems to send POST requests correctly. I going to try setting up that for now, but I would rather switch back to this if a way to authenticate against Keycloak was added.
By the way, I did setup Arch Linux packaging on the AUR for this if anybody wants it.
Nice plugin! Working as expected.
Any recommendations for a debug/breakpoint setup if I am looking to extend this?
Hi,
I'm interested in understanding whether this PAM module might be used with an OpenID-Connect provider, since OIDC is based on OAuth2. I believe this doesn't work right now, but the two discrepancies I've found might be fairly easily fixed.
(This issue is really to test the water, to see whether OIDC access-token support is of interest. The individual issues could be split off into separate issues, if that would help in managing them.)
First issue: embedding the access-token in URL query part.
An OIDC user-info endpoint is authorised by the access token:
https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest
This is done using the Authorization
request header. This PAM module currently seems to embed the access token within the userinfo endpoint's URL, as a query parameter.
Would it be possible to add support for querying the OP's userinfo endpoint using the Authorization request header?
Second issue: the PAM module seems to assume that the OP returns at least the username (and also group-membership?) in the user-info endpoint response.
A successful OIDC userinfo response can contain many claims:
https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
However, I believe the only guaranteed one is sub
, which uniquely identifies the individual. More generally, there are OPs that identify many individuals: users (of the the machine) and other people who have no account on this machine.
Therefore, some library/component/configuration-file would be needed that maps sub
claim values to the corresponding users on the system. This PAM module would also need to reject login requests that are valid, but for which there is no mapped user.
Do you have any thoughts on how this mapping might be achieved?
Finally, it would be helpful if you could provide some worked examples, showing a PAM configuration and an application/service where the user may be logged in when they provide an access token.
Cheers,
Paul.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.