cyberdem0n / pam-oauth2 Goto Github PK

Hi,

I am trying SSH to a server using this PAM module.
keycloak server Token end point is http://localhost:8080/auth/realms/demo/protocol/openid-connect/token

do you have any example PAM configuration for using keycloak for authentication.

Thanks and regards,
Adishesh

Hello! I have issue with two users with the same passwords. Without sending login authentication failed for one of the user.

Hey, could you add some examples, how to use it? E.g. for Github/Gitlab, Google, Microsoft aso.

Hello, first of all: Thank you for your work on this project.

I'm still learning PAM and have been experimenting with this module for a few hours now. Unfortunately I am not able to get it working. Maybe I am misunderstanding something and you can point in the right direction.

I set up the module in the PAM config and placed it above pam_localuser.so. I can see from the logs that the module is working but I keet getting 4xx errors from my Keycloak instance. I added some more syslog calls and found that the access_token I pass during login is incomplete: strlen reports that it has 1023 characters while the one I pass during login has 1555 characters. Therefore Keycloak fails during the request to the info endpoint.

I did my tests using SSH and thought I'm supposed to pass the token where I normally enter a password. Is that my mistake?

Thanks for your help :)

Hello, does it work with OAuth1.0a? Thank you

Hi!
Trying to use pam-oauth2 module. My common-auth has:
auth sufficient pam_oauth2.so "https://www.googleapis.com/admin/directory/v1/users?access_token=geghshgklhwreiuhgwierhgwiue&domain=aaa.bbb" primaryEmail suspended=false
account sufficient pam_oauth2.so

And log tells me:
Nov 9 15:31:42 vagrant sshd[4384]: pam_oauth2: failed to perform curl request

What I am doing wrong?
Url is working through curl. I have checked without quotes - same error:(

I was trying to set this up to authenticate against Keycloak's token endpoint and discovered that it seems to be hard coded to use GET requests w hile the API I have requires the secrets be passed in POST data. I can construct a working query via curl that returns something I think will be processed okay, but when I setup PAM to do the same thing with this module I can only figure out how to get a GET request out.

Comments in #3 which also mentions Keycloak suggest using a different project pam-exec-oauth2 which seems to send POST requests correctly. I going to try setting up that for now, but I would rather switch back to this if a way to authenticate against Keycloak was added.

By the way, I did setup Arch Linux packaging on the AUR for this if anybody wants it.

Nice plugin! Working as expected.

Any recommendations for a debug/breakpoint setup if I am looking to extend this?

Hi,

I'm interested in understanding whether this PAM module might be used with an OpenID-Connect provider, since OIDC is based on OAuth2. I believe this doesn't work right now, but the two discrepancies I've found might be fairly easily fixed.

(This issue is really to test the water, to see whether OIDC access-token support is of interest. The individual issues could be split off into separate issues, if that would help in managing them.)

First issue: embedding the access-token in URL query part.

An OIDC user-info endpoint is authorised by the access token:

https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest

This is done using the Authorization request header. This PAM module currently seems to embed the access token within the userinfo endpoint's URL, as a query parameter.

Would it be possible to add support for querying the OP's userinfo endpoint using the Authorization request header?

Second issue: the PAM module seems to assume that the OP returns at least the username (and also group-membership?) in the user-info endpoint response.

A successful OIDC userinfo response can contain many claims:

https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

However, I believe the only guaranteed one is sub, which uniquely identifies the individual. More generally, there are OPs that identify many individuals: users (of the the machine) and other people who have no account on this machine.

Therefore, some library/component/configuration-file would be needed that maps sub claim values to the corresponding users on the system. This PAM module would also need to reject login requests that are valid, but for which there is no mapped user.

Do you have any thoughts on how this mapping might be achieved?

Finally, it would be helpful if you could provide some worked examples, showing a PAM configuration and an application/service where the user may be logged in when they provide an access token.

Cheers,
Paul.