Allow to delegate the authentication to external programs #974
Conversation
|
Relevant issue: #867 I'm still not sure what is the best way to handle this. I've added two options simply because I find having GUI applications launched directly by Requiring the cookie to be passed as argument makes that easy, at least in my opinion. |
|
Some additional notes. I have written an application to automate the extraction of According to this the SAML page should be at I have tested this with Cisco Duo, which requires me to login using my credentials and authorize the access through a mobile application. As soon as I authorize the access I receive the If the VPN dies while the browser is open, that webpage will try to recover it by sending a new push notification to the mobile app. No credentials required in this case. This means that keeping the browser open may be desired, especially with an unstable connection. I do not know if this is the behavior of every SAML provider, but this is what I observed. To have a persistent VPN when using #!/bin/sh
(openfortivpn-webview myhost.com:443 --keep-open > /tmp/svpncookie) &
while true; do
cookie="$(cat /tmp/svpncookie)"
> /tmp/svpncookie
if [ -n "$cookie" ]; then
sudo openfortivpn myhost.com:443 --cookie "$cookie"
fi
sleep 5
doneIf your SAML page is simple you could even script everything with something like |
|
The only reason why I kept I'm still not sure about the cookie being passed through command line arguments. Even if it gets disposed rather frequently, it's still something you may want to keep secret and command line arguments are not. I liked the idea of having it passed through stdin. That can be made optional using the conventional For the record, my previous script could be improved with a named pipe. With that #!/bin/sh
pipe="/tmp/openfortivpn-cookie"
mkfifo "$pipe"
chmod 0622 "$pipe" # Anyone can write, only root can read.
while true; do
echo "Waiting for a cookie..."
read line < "$pipe"
openfortivpn host:port --cookie "$line"
done
# remove "$pipe", possibly using a 'trap'The above does not handle the case in which #!/bin/bash
pipe="/tmp/openfortivpn-cookie"
mkfifo "$pipe"
chmod 0622 "$pipe" # Anyone can write, only root can read.
# Wait for the first cookie
echo "Waiting for a cookie..."
read cookie < "$pipe"
while true; do
openfortivpn host:port --cookie "$cookie"
# Wait for up to 10 seconds to receive a new cookie.
# If not cookie is provided, keep using the old cookie.
echo "Waiting 10 seconds for a new cookie..."
read line -t 10 <> "$pipe" # not portable, bash may be required
if [ -n "$line" ]; then
# In case 'read' times out, "$line" is empty
cookie="$line"
fi
done |
|
I removed the
I think that just requiring the cookie is flexible and it allows to easily use |
|
This is working very well for me, very easy to use in combination with openfortivpn-webview |
|
Can you perhaps squash the commits into a single commit, and rebase if needed? Then I can merge. |
This adds two new options that allow to pass session cookies: --cookie and --cookie-on-stdin. Such options allow to delegate the authentication to external programs, which is mainly useful for SAML.
|
Done. |
|
For use of external browser this repository has a script for it https://github.com/filippor/XdgOpenSaml |
Some users are required to login with SAML and perform multi-factor authentications. In some cases performing the authentication without a browser is close to impossible, so it is best to delegate the operation to external programs.
This also allows to move the complexity of dealing with different SAML providers out of
openfortivpn.These changes allow users to authenticate in two different ways:
SVPNCOOKIEthrough a new command line argument (--cookie).Users are in this case expected to know how to retrieve the cookie.
This option is not strictly related to SAML, even though that is likely the main reason for using it.
Specifying a command that will be executed to retrieve theSVPNCOOKIE(--saml-handler).The command will receive the URL for the SAML authentication as argument.