client doesn't sent auth-token if auth-user-pass is not defined #296
Comments
|
auth-token is a replacement for password and the client treats it as such. If there is no auth-user-pass in the client config, there is no password to replace and the client doesn't send the token. I may be wrong, but it looks hard to decouple the two in the current design. That said, when there is no username/password, auth-gen-token is not the right approach for handing REAUTH. Instead your server-side script/management that prompts using OPEN_URL could keep track of past authentications, and allow REAUTH without further prompts until some expiry time is reached. After all its your authentication framework that is initiating the prompt. Be sure to always prompt for initial sessions even if the client had authenticated in the immediate past. The management interface on server side is notified whether its a REAUTH or not, I'm not sure whether scripts and plugins get that info -- there have been many recent changes on that front and I haven't kept track. BTW, I suppose the 120 sec reneg is for testing -- its too frequent in production use. |
|
The issue here is that username/password should ne not entered at OpenVPN level. The script is not able to verify or validate the credentials. The script sends a auth link back to the client and pulling the IDP until the user has logged in. I thought, I could use the Handling
Yes. |
Not sure I understand. In the end its the script that tells openvpn server process that auth succeeded. It can bypass all authentication if its a re-auth request and no "refresh token" is required for that. OpenVPN process keeps track of it and will tell you whether its a re-auth for a previously authenticated session or not. Again. I am not sure this info (whether its re-auth or not) is passed to scripts or not -- the management interface at server-side does get this. If you also want to emulate "auth-token expiry", you will have to cache some state info (say, CID and timestamp), but nothing sensitive needs to be saved to disk. A quick hack would be to add an inlined, bogus, username-password in the client config and ignore it in your authentication script. |
|
After reading the man page, it seems like
I will look deeper into the auth-token solution for now. |
You wont get a re-auth after restarting the server, but will get an initial auth. |
|
I understand checking for re-auth doesn't feel as secure as having the client send back a token. As for auth-token-user, right, I had forgotten about it. But it may not be functional as it stands: we had an issue of the server locking the empty username at first authentication. @schwabe should have more insight into this. |
true. Here is my config to test this The auth work fine while reauth with auth-token doesnt work fine: I may ask, if this is intentional? The man pages says about |
I also looked through the available environment variables. The |
That's unfortunate. management interface gets ">CLIENT: CONNECT", ">CLIENT: REAUTH" etc. |
AFAICT, this is a known bug yet to be fixed. |
|
Should I create a new issue? This issue seems to solved by using auth-token-user. I can find an existing issue for the empty username issue. |
|
Hi,
On Sun, Mar 26, 2023 at 08:27:08AM -0700, Jan-Otto Kröpke wrote:
I can find an existing issue for the empty username issue.
I've ran into it when testing ``auth-token-user`` handling on the
client, and sent a patch
https://patchwork.openvpn.net/project/openvpn2/patch/20221010071229.7935-1-gert@greenie.muc.de/
... which @schwabe did not like (see discussion below the patch), but
since nobody else seemed to be affected (... yet) this didn't progress.
So we need to revisit this.
gert
(edited, because github mangles URLs that look like a mail address)
|
|
Hi @cron2 , just to confirm, I post my server logs ( auth-token is denied without any logged reason. I not seen any error messages like |
I propose an alternative solution in #299, which has way more benefits for SSO based logins and may could obsolete |
|
I would like to know, if there an idea in mind which allowes to use |
|
I guess, this may be not getting fixed on the 2.6 track? |
|
There seems to be a bit of "post major release exhaustion" on the developers that mostly pushed the 2.6.0 release (@schwabe, @ordex, myself). I'm slowly picking up speed again, and I find this topic important to solve... but won't find time to do much in the next two weeks, so it won't get fixed for 2.6.5. But I will discuss with @schwabe to see how to move forward. Sorry for the delay... |
|
Hello, I would like to ask for an update here. with deferred auth mechanism, its not necessary that client defines an own username, since the username/password authentication will be delegated to the browser. However, with At the moment, https://github.com/jkroepke/openvpn-auth-oauth2 is a stateless service which does not hold client state. I would like to integrate any REAUTH logic there to keep the code clean. |
|
Sorry for the ping here, but I would like to ask if there is an potential solution visible? The authentication to each reg-sec interval is a big issue, since the Browser will be opened and if the user is still signed-in, the user is authenticated instantly. However, the OpenVPN 3 client breaks, if WebAuth is requested on REAUTH. The only solution here is to configure a high reg-sec interval which leads to "insecure" workarounds. |
|
I found a potential workaround here. if is defined, OpenVPN reports |
IMPORTANT NOTE
Bugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net
Describe the bug
I have a OpenVPN server that uses client certificates and MFA through Web Browser.
Our policies allows to cache the MFA for 24h. If a OpenVPN client reconnects to the server with an valid auth-token, the MFA can skipped.
We are using deferred authentication in combination with
OPENURLto ask for Username/Password. Thats whyauth-user-pass-optionalis configured and the client doesn't have aauth-user-passdirective.Our POC, it works since #261 fine. But re-authentication happens each 120 seconds. If
auth-user-passis defined on client, the auth-token based re-authentication works fine.To Reproduce
Expected behavior
On TLS, the client should sent a auth-token and the server should bypass the auth through
auth-user-pass-verify. (same behavior asauth-user-passis defined on client)Version information (please complete the following information):
Server
2.6.1 [git:release/2.6/e950ca1b9fca58e9]Client
2.6.1Additional context
Server Logs
Details
The text was updated successfully, but these errors were encountered: