Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No information returned from Google oAuth #201

Closed
vincib opened this issue Feb 28, 2024 · 6 comments
Closed

No information returned from Google oAuth #201

vincib opened this issue Feb 28, 2024 · 6 comments
Labels
✨ enhancement New feature or request

Comments

@vincib
Copy link
Contributor

vincib commented Feb 28, 2024
edited
Loading

Current Behavior

I'm using the google provider and it works fine with the configuration below

That said, I need to know the identity of our connected user to know which IP address to give him/her later in the openvpn, via a client-connect script.

openvpn-auth-oauth2 is logging this when the user is logged-in :

time=2024-02-28T17:03:12.635+01:00 level=INFO msg="successful authorization via oauth2" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""
time=2024-02-28T17:03:12.636+01:00 level=INFO msg="accept OpenVPN client cid 21, kid 1" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""

I see that there is no username or subject returned by the oAuth session... Is it normal?

I expect to get some information from google regarding the logged-in user but I have none...

Expected Behavior

I expect openvpn-auth-oauth2 to get an email or name from the oAuth process, that can be then processed by openvpn (example via a client-connect script).

If it's clearly non-standard, feel free to replace this bug to be a feature request <3 and let's talk about it.

Steps To Reproduce

No response

Environment

  • openvpn-auth-oauth2 Version: 1.18.0
  • OpenVPN Server Version: 2.6.3-1
  • Server OS: Debian 12
  • OpenVPN Client (flavor, OS): openvpn3 on debian 12
  • OIDC Provider: Google

openvpn-auth-oauth2 logs

openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:08.708+01:00 level=INFO msg="new client connection" cid=21 kid=1 common_name=lavar reason=CONNECT session_id="" session_state=""
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:08.708+01:00 level=INFO msg="start pending auth" cid=21 kid=1 common_name=lavar reason=CONNECT session_id="" session_state=""
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:09.227+01:00 level=INFO msg="initialize authorization via oauth2" cid=21 kid=1 common_name=lavar
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:12.635+01:00 level=INFO msg="successful authorization via oauth2" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:12.636+01:00 level=INFO msg="accept OpenVPN client cid 21, kid 1" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""

openvpn server logs

2024-02-28 17:03:08 us=709129 MANAGEMENT: CMD 'client-pending-auth 21 1 "WEB_AUTH::https://mydomain.com/oauth2/start?state=random" 180'
2024-02-28 17:03:08 us=709179 SENT CONTROL []: 'AUTH_PENDING,timeout 180' (status=1)
2024-02-28 17:03:08 us=709199 SENT CONTROL []: 'INFO_PRE,WEB_AUTH::https://mydomain.com/oauth2/start?state=random' (status=1)
2024-02-28 17:03:08 us=713918 1.2.3.4:41718 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-02-28 17:03:08 us=713977 1.2.3.4:41718 [] Peer Connection Initiated with [AF_INET]1.2.3.4:41718
2024-02-28 17:03:08 us=714167 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'
2024-02-28 17:03:09 us=712546 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'
2024-02-28 17:03:12 us=636130 MANAGEMENT: CMD 'client-auth 21 1'
2024-02-28 17:03:17 us=712955 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'
2024-02-28 17:03:17 us=713020 1.2.3.4:41718 MULTI_sva: pool returned IPv4=10.222.128.2, IPv6=(Not enabled)
Login not found
2024-02-28 17:03:17 us=740091 1.2.3.4:41718 WARNING: Failed running command (--client-connect): external program exited with error status: 1
2024-02-28 17:03:25 us=713523 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'

The "Login not found" is from a client-connect script, that receive a complete environment, but no username or email in this environment :/

Anything else?

my openvpn-oauth config is as such :

CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=xxxx
CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com/.well-known/openid-configuration
CONFIG_OAUTH2_ENDPOINT_AUTH=https://accounts.google.com/o/oauth2/auth
CONFIG_OAUTH2_ENDPOINT_TOKEN=https://oauth2.googleapis.com/token
CONFIG_OAUTH2_CLIENT_ID=xxxx
CONFIG_OAUTH2_CLIENT_SECRET=xxxxx
CONFIG_HTTP_LISTEN=127.0.0.1:9000
CONFIG_HTTP_SECRET=xxxxx
CONFIG_HTTP_BASEURL=https://mydomain.com/
CONFIG_HTTP_ENABLE__PROXY__HEADERS=1
@vincib vincib added the 🐞 bug Something isn't working label Feb 28, 2024
@vincib
Copy link
Contributor Author

vincib commented Feb 28, 2024

After reading part of the source code, it seems that there is no way to tell openvpn any information about the user that has just been authenticated...

openvpn-auth-oauth2/internal/openvpn/callbacks.go

Line 18 in c721b32

_, err = c.SendCommandf("client-auth %d %d\r\npush \"auth-token-user %s\"\r\nEND", client.CID, client.KID, tokenUsername)

the only answer given to openvpn is the original openvpn username (which may be empty)

Am I wrong? Is there any way to give openvpn the identity of the oAuth-authenticated user?

@jkroepke jkroepke added ✨ enhancement New feature or request and removed 🐞 bug Something isn't working labels Feb 28, 2024
@jkroepke
Copy link
Owner

jkroepke commented Feb 28, 2024
edited
Loading

I expect to get some information from google regarding the logged-in user but I have none...

That is strange, it looks different at my side (I'm using Google Workspace as well):

time=2024-02-28T17:28:45.214+01:00 level=INFO msg="successful authorization via oauth2" ip=192.168.65.1:51284 cid=1 kid=1 session_id=tuvBvUCjrsaMDjT5 common_name="" idtoken.subject=115662897738804440569 idtoken.email=mail@jkroepke.de idtoken.preferred_username="" user.subject=115662897738804440569 user.preferred_username=""
time=2024-02-28T17:28:45.214+01:00 level=INFO msg="accept OpenVPN client cid 1, kid 1" ip=192.168.65.1:51284 cid=1 kid=1 session_id=tuvBvUCjrsaMDjT5 common_name="" idtoken.subject=115662897738804440569 idtoken.email=mail@jkroepke.de idtoken.preferred_username="" user.subject=115662897738804440569 user.preferred_username=""
time=2024-02-28T17:28:45.807+01:00 level=INFO msg="client established" ip=192.168.65.1:51284 vpn_ip=100.64.0.3 cid=1 common_name="" reason=ESTABLISHED session_id=tuvBvUCjrsaMDjT5 session_state=Initial

The ip fields are new (merged yesterday, but not released yet), But I'm also missing the idtoken log fields on your side. This happens only, if openvpn-auth-oauth2 does not get an IDToken from Google back.

The problem cloud be that you are configure too much. The recommend setting is

CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
CONFIG_OAUTH2_CLIENT_ID=162738495-xxxxx.apps.googleusercontent.com
CONFIG_OAUTH2_CLIENT_SECRET=GOCSPX-xxxxxxxx

and the auto-discovery should do the rest

I expect openvpn-auth-oauth2 to get an email or name from the oAuth process, that can be then processed by openvpn (example via a client-connect script).

After reading part of the source code, it seems that there is no way to tell openvpn any information about the user that has just been authenticated...

Correct. The request you are looking for the this (please leave a vote on first post):

There was a recent discussion in yesterdays, here is a summerize:

Using Enterprise-like feature (like WebAuth with SSO) together with native OpenVPN features is combination, which is currently not in Scope of OpenVPN itself. While the feature request is valid, there is not enough attraction to implement it.

The core maintainers says, I should re-implement every feature in openvpn-auth-oauth2 the same way that other enterprise implementation do it.

@jkroepke
Copy link
Owner

the only answer given to openvpn is the original openvpn username (which may be empty)

Not even that. auth-token-user is only pushed to the OpenVPN client, but not used inside OpenVPN Server.

@vincib
Copy link
Contributor Author

vincib commented Feb 28, 2024

you are right: since I configured that before the google provider existed, I didn't change anything ...

I reconfigured and tested again :

openvpn-auth-oauth2[2178688]: time=2024-02-28T17:53:15.603+01:00 level=INFO msg="accept OpenVPN client cid 24, kid 1" cid=24 kid=1 session_id="" common_name=lavar idtoken.subject=118119612884626932668 idtoken.email=benjamin@aaa.octopuce.fr idtoken.preferred_username="" user.subject=118119612884626932668 user.preferred_username=""

it works now, I just have this 118sthg id sent to openvpn, which is not transmitted to client-connect (which confirms your last message above) so the feature request remains :)

thanks for the references to openvpn, I'll read that...

@jkroepke
Copy link
Owner

so the feature request remains :)

I would like to lose this in favor of #139. The issue is around report the username back to OpenVPN.

If the username is in OpenVPN context, it may can used in client-connect scripts than.

@vincib
Copy link
Contributor Author

vincib commented Feb 28, 2024

Yes, this request is a duplicate of #139. I close it now unless you have another idea.

Thanks!

@vincib vincib closed this as completed Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
✨ enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vincib @jkroepke