2021-12-01 23:42:10 +01:00
|
|
|
|
Galene is a videoconferencing server that is easy to deploy and requires
|
|
|
|
|
moderate server resources. It is described at <https://galene.org>.
|
|
|
|
|
|
|
|
|
|
|
2020-05-29 17:49:23 +02:00
|
|
|
|
# Installation
|
|
|
|
|
|
2024-10-27 15:21:33 +01:00
|
|
|
|
Quick start:
|
|
|
|
|
|
|
|
|
|
git clone https://github.com/jech/galene
|
|
|
|
|
cd galene
|
|
|
|
|
CGO_ENABLED=0 go build -ldflags='-s -w'
|
|
|
|
|
mkdir groups
|
2024-11-12 14:02:09 +01:00
|
|
|
|
echo '{"users": {"bob": {"password":"1234", "permissions":"op"}}}' > \
|
2024-10-27 15:21:33 +01:00
|
|
|
|
groups/example.json
|
|
|
|
|
./galene &
|
|
|
|
|
|
|
|
|
|
Point your browser at <https:/localhost:8443/group/example/>, ignore the
|
|
|
|
|
unknown certificate warning, and log in with username "bob" and password
|
|
|
|
|
"secret".
|
|
|
|
|
|
|
|
|
|
See the file INSTALL in this directory for full installation instructions.
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2021-05-10 23:24:18 +02:00
|
|
|
|
|
2021-01-08 15:36:23 +01:00
|
|
|
|
# Usage
|
|
|
|
|
|
|
|
|
|
## Locations
|
2020-05-31 23:16:08 +02:00
|
|
|
|
|
|
|
|
|
There is a landing page at the root of the server. It contains a form
|
|
|
|
|
for typing the name of a group, and a clickable list of public groups.
|
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
Groups are available under `/group/groupname/`. You may share this URL
|
2020-05-31 23:16:08 +02:00
|
|
|
|
with others, there is no need to go through the landing page.
|
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
Recordings can be accessed under `/recordings/groupname/`. This is only
|
2020-05-31 23:16:08 +02:00
|
|
|
|
available to the administrator of the group.
|
|
|
|
|
|
2021-04-30 20:33:23 +02:00
|
|
|
|
Some statistics are available under `/stats.json`, with a human-readable
|
|
|
|
|
version at `/stats.html`. This is only available to the server administrator.
|
2020-05-31 23:16:08 +02:00
|
|
|
|
|
2021-05-10 23:24:18 +02:00
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
## Main interface
|
|
|
|
|
|
|
|
|
|
After logging in, the user is confronted with the main interface.
|
|
|
|
|
|
|
|
|
|
### Buttons
|
|
|
|
|
|
|
|
|
|
There are up to three buttons at the top. The *Enable*/*Disable* button
|
|
|
|
|
enables either or both the camera and the microphone (depending on the
|
|
|
|
|
options set in the side menu, see below). The *Mute* button mutes or
|
|
|
|
|
unmutes the microphone. The *Share Screen* button shares the screen or
|
|
|
|
|
a window.
|
|
|
|
|
|
|
|
|
|
### Side menu
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
|
|
|
|
There is a menu on the right of the user interface. This allows choosing
|
|
|
|
|
the camera and microphone and setting the video throughput. The
|
|
|
|
|
*Blackboard mode* checkbox increases resolution and sacrifices framerate
|
|
|
|
|
in favour of image quality. The *Play local file* dialog allows streaming
|
|
|
|
|
a video from a local file.
|
2020-05-31 23:16:08 +02:00
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
### User list
|
|
|
|
|
|
|
|
|
|
There is a user list on the left. Clicking on a user opens a menu with
|
|
|
|
|
actions that can be applied to that user. Clicking on ones own username
|
|
|
|
|
opens a menu with actions that are global to the group.
|
2021-05-10 23:24:18 +02:00
|
|
|
|
|
2024-05-02 00:39:44 +02:00
|
|
|
|
### Chat pane
|
|
|
|
|
|
|
|
|
|
Double-clicking on a message opens a contextual menu.
|
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
### Text box
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
Typing a string in the text box at the bottom of the chat pane sends
|
|
|
|
|
a broadcast message to all of the users in the group.
|
|
|
|
|
|
|
|
|
|
Typing a line starting with a slash `/` in the text box causes a command
|
|
|
|
|
to be sent to the server. Type `/help` to get the list of available
|
|
|
|
|
commands; the output depends on whether you are an operator or not.
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
|
|
|
|
|
2021-10-26 20:10:24 +02:00
|
|
|
|
# The global configuration file
|
|
|
|
|
|
|
|
|
|
The server may be configured in the JSON file `data/config.json`. This
|
|
|
|
|
file may look as follows:
|
|
|
|
|
|
|
|
|
|
{
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"users":{"root": {"password":"secret", "permissions": "admin"}},
|
2023-05-16 18:54:35 +02:00
|
|
|
|
"canonicalHost": "galene.example.org"
|
2021-10-26 20:10:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
2024-11-12 14:02:09 +01:00
|
|
|
|
or, better, with a hashed password:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
"users": {
|
|
|
|
|
"root": {
|
|
|
|
|
"password":{"type":"bcrypt","key":"$2a$10$bTWW..."},
|
|
|
|
|
"permissions": "admin"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"canonicalHost": "galene.example.org"
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-26 20:10:24 +02:00
|
|
|
|
The fields are as follows:
|
|
|
|
|
|
2024-11-12 14:02:09 +01:00
|
|
|
|
- `users` defines the users allowed to administer the server, and has the
|
|
|
|
|
same syntax as user definitions in groups (see below), except that the
|
|
|
|
|
only meaningful permission is `"admin"`;
|
|
|
|
|
|
|
|
|
|
- `writableGroups`: if true, then the API can modify group description
|
|
|
|
|
files; by default, group files are treated as read-only;
|
|
|
|
|
|
|
|
|
|
- `publicServer`: if true, then cross-origin access to the server is
|
|
|
|
|
allowed. This is safe if the server is on the public Internet, but not
|
|
|
|
|
necessarily so if it is on a private network.
|
|
|
|
|
|
|
|
|
|
- `proxyURL`: if running behind a reverse proxy, this specifies the root
|
|
|
|
|
URL that will be visible outside the proxy.
|
|
|
|
|
|
|
|
|
|
- `canonicalHost`: the canonical name of the host running the server;
|
|
|
|
|
this will cause clients to be redirected if they use a different
|
|
|
|
|
hostname to access the server.
|
2021-10-26 20:10:24 +02:00
|
|
|
|
|
|
|
|
|
|
2021-08-06 16:59:46 +02:00
|
|
|
|
# Group definitions
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
|
|
|
|
Groups are defined by files in the `./groups` directory (this may be
|
|
|
|
|
configured by the `-groups` command-line option, try `./galene -help`).
|
|
|
|
|
The definition for the group called *groupname* is in the file
|
2021-01-26 22:59:19 +01:00
|
|
|
|
`groups/groupname.json`; it does not contain the group name, which makes
|
2021-01-08 15:36:23 +01:00
|
|
|
|
it easy to copy or link group definitions. You may use subdirectories:
|
|
|
|
|
a file `groups/teaching/networking.json` defines a group called
|
2021-05-22 16:58:09 +02:00
|
|
|
|
*teaching/networking*.
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
2023-05-03 14:47:06 +02:00
|
|
|
|
|
|
|
|
|
## Examples
|
|
|
|
|
|
2021-08-06 16:59:46 +02:00
|
|
|
|
A typical group definition file looks like this:
|
|
|
|
|
|
|
|
|
|
{
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"users":{
|
|
|
|
|
"jch": {"password":"1234", "permissions": "op"}
|
|
|
|
|
},
|
2021-08-06 16:59:46 +02:00
|
|
|
|
"allow-recording": true,
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"auto-subgroups": true
|
2021-08-06 16:59:46 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
This defines a group with the operator (administrator) username *jch* and
|
2024-01-02 18:45:04 +01:00
|
|
|
|
password *1234*. The `allow-recording` entry says that the operator is
|
2024-01-02 18:36:09 +01:00
|
|
|
|
allowed to record videos to disk, and the `auto-subgroups` entry says
|
2024-01-02 18:45:04 +01:00
|
|
|
|
that subgroups will be created automatically. This particular group does
|
|
|
|
|
not allow password login for ordinary users, and is suitable if you use
|
|
|
|
|
invitations (see *Stateful Tokens* below) for ordinary users.
|
2023-05-03 14:47:06 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
In order to allow password login for ordinary users, add password entries
|
|
|
|
|
with the permission `present`:
|
2023-05-03 14:47:06 +02:00
|
|
|
|
|
|
|
|
|
{
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"users":{
|
2024-05-03 19:12:12 +02:00
|
|
|
|
"jch": {"password": "1234", "permissions": "op"}
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"john": {"password": "secret", "permissions": "present"}
|
|
|
|
|
}
|
2023-05-03 14:47:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
If the group is to be publicly accessible, you may allow logins with any
|
2024-05-03 19:12:12 +02:00
|
|
|
|
username using the `wildcard-user` entry::
|
2023-05-03 14:47:06 +02:00
|
|
|
|
|
|
|
|
|
{
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"users":{
|
|
|
|
|
"jch": {"password":"1234", "permissions": "op"}
|
|
|
|
|
},
|
2024-05-03 19:12:12 +02:00
|
|
|
|
"wildcard-user": {"password": "1234", "permissions": "present"},
|
2023-05-03 14:47:06 +02:00
|
|
|
|
"public": true
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-03 19:12:12 +02:00
|
|
|
|
If you want to allow users to use any password, use a wildcard password:
|
2023-05-03 14:47:06 +02:00
|
|
|
|
|
2024-05-03 19:12:12 +02:00
|
|
|
|
{
|
|
|
|
|
"users":{
|
|
|
|
|
"jch": {"password":"1234", "permissions": "op"}
|
|
|
|
|
},
|
|
|
|
|
"wildcard-user":
|
|
|
|
|
{"password": {"type": "wildcard"}, "permissions": "present"},
|
|
|
|
|
"public": true
|
|
|
|
|
}
|
2023-05-03 14:47:06 +02:00
|
|
|
|
|
|
|
|
|
## Reference
|
2021-08-06 16:59:46 +02:00
|
|
|
|
|
2023-05-03 14:47:06 +02:00
|
|
|
|
Every group definition file contains a single JSON directory (a list of
|
|
|
|
|
entries between `{' and `}'). All fields are optional, but unless you
|
|
|
|
|
specify at least one user definition (`op`, `presenter`, or `other`),
|
|
|
|
|
nobody will be able to join the group. The following fields are allowed:
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
- `users`: is a dictionary that maps user names to dictionaries with
|
2024-11-12 14:02:09 +01:00
|
|
|
|
entries `password` and `permissions`; see below for a description of
|
|
|
|
|
possible permissions;
|
|
|
|
|
|
2024-05-03 19:12:12 +02:00
|
|
|
|
- `wildcard-user` is a dictionaries with entries `password` and `permissions`
|
|
|
|
|
that will be used for usernames with no matching entry in the `users`
|
|
|
|
|
dictionary;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2022-02-19 23:58:31 +01:00
|
|
|
|
- `authKeys`, `authServer` and `authPortal`: see *Authorisation* below;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2023-05-03 14:47:06 +02:00
|
|
|
|
- `public`: if true, then the group is listed on the landing page;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2021-07-16 19:41:00 +02:00
|
|
|
|
- `displayName`: a human-friendly version of the group name;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2020-09-24 22:03:41 +02:00
|
|
|
|
- `description`: a human-readable description of the group; this is
|
|
|
|
|
displayed on the landing page for public groups;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2021-01-13 23:00:48 +01:00
|
|
|
|
- `contact`: a human-readable contact for this group, such as an e-mail
|
2024-11-12 14:02:09 +01:00
|
|
|
|
address, ignored by the server;
|
|
|
|
|
|
|
|
|
|
- `comment`: a human-readable string, ignored by the server;
|
|
|
|
|
|
2020-05-29 17:49:23 +02:00
|
|
|
|
- `max-clients`: the maximum number of clients that may join the group at
|
|
|
|
|
a time;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2020-10-08 14:38:33 +02:00
|
|
|
|
- `max-history-age`: the time, in seconds, during which chat history is
|
|
|
|
|
kept (default 14400, i.e. 4 hours);
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2024-03-03 16:45:54 +01:00
|
|
|
|
- `not-before` and `expires`: the times (in ISO 8601 or RFC 3339 format)
|
|
|
|
|
between which joining the group is allowed;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2020-05-30 01:18:00 +02:00
|
|
|
|
- `allow-recording`: if true, then recording is allowed in this group;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2023-04-10 14:42:01 +02:00
|
|
|
|
- `unrestricted-tokens`: if true, then ordinary users (without the "op"
|
|
|
|
|
privilege) are allowed to create tokens;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2021-01-08 15:36:23 +01:00
|
|
|
|
- `allow-anonymous`: if true, then users may connect with an empty username;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
- `auto-subgroups`: if true, then subgroups of the form `group/subgroup`
|
2021-01-08 15:36:23 +01:00
|
|
|
|
are automatically created when first accessed;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2021-01-14 03:56:37 +01:00
|
|
|
|
- `autolock`: if true, the group will start locked and become locked
|
|
|
|
|
whenever there are no clients with operator privileges;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2021-01-17 21:29:07 +01:00
|
|
|
|
- `autokick`: if true, all clients will be kicked out whenever there are
|
2021-01-17 21:52:26 +01:00
|
|
|
|
no clients with operator privileges; this is not recommended, prefer
|
|
|
|
|
the `autolock` option instead;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2020-09-10 13:55:57 +02:00
|
|
|
|
- `redirect`: if set, then attempts to join the group will be redirected
|
2021-01-08 15:36:23 +01:00
|
|
|
|
to the given URL; most other fields are ignored in this case;
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
2020-12-25 17:33:44 +01:00
|
|
|
|
- `codecs`: this is a list of codecs allowed in this group. The default
|
2023-09-01 16:00:09 +02:00
|
|
|
|
is `["vp8", "opus"]`.
|
2024-11-12 14:02:09 +01:00
|
|
|
|
|
|
|
|
|
The value of the `permissions` entry in a user definition can either be an
|
|
|
|
|
array of individual permissions, as carried by the protocol, or one of
|
|
|
|
|
the following strings:
|
|
|
|
|
|
|
|
|
|
- `op`, a group operator with all rights except administering the group;
|
|
|
|
|
- `present`, an ordinary user with the right to publish audio and video
|
|
|
|
|
streams and send chat messages;
|
|
|
|
|
- `message`, a user with the right to send chat messages;
|
|
|
|
|
- `observe`, a user that receives media streams and chat messages, but
|
|
|
|
|
is not allowed to send them;
|
|
|
|
|
- `caption`, a user with the right to display captions (only);
|
|
|
|
|
- `admin`, a user with the right to administer the group (only).
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
|
|
|
|
Supported video codecs include:
|
|
|
|
|
|
2023-09-01 16:00:09 +02:00
|
|
|
|
- `"vp8"` (compatible with all supported browsers);
|
2024-11-12 14:02:09 +01:00
|
|
|
|
- `"vp9"` (better video quality, but incompatible with Safari; buggy in
|
|
|
|
|
Firefox);
|
2023-09-01 16:00:09 +02:00
|
|
|
|
- `"av1"` (even better video quality, only supported by some browsers,
|
|
|
|
|
recording is not supported, SVC is not supported);
|
2024-11-12 14:02:09 +01:00
|
|
|
|
- `"h264"` (incompatible with Debian and with some older Android devices,
|
|
|
|
|
- SVC is not supported).
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
|
|
|
|
Supported audio codecs include `"opus"`, `"g722"`, `"pcmu"` and `"pcma"`.
|
2021-07-30 13:55:04 +02:00
|
|
|
|
Only Opus can be recorded to disk. There is no good reason to use
|
|
|
|
|
anything except Opus.
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2021-10-29 23:37:05 +02:00
|
|
|
|
|
|
|
|
|
## Client Authorisation
|
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
Galene implements three authorisation methods: a simple username/password
|
|
|
|
|
authorisation scheme, a scheme using stateful tokens and a mechanism based
|
|
|
|
|
on cryptographic tokens that are generated by an external server. The
|
|
|
|
|
former two mechanism are intended to be used in standalone installations,
|
|
|
|
|
while the server-based mechanism is designed to allow easy integration
|
|
|
|
|
with an existing authorisation infrastructure (such as LDAP, OAuth2, or
|
|
|
|
|
even Unix passwords).
|
2021-10-29 23:37:05 +02:00
|
|
|
|
|
|
|
|
|
### Password authorisation
|
|
|
|
|
|
|
|
|
|
When password authorisation is used, authorised usernames and password are
|
2024-01-02 18:36:09 +01:00
|
|
|
|
defined directly in the group configuration file, in the `users` and
|
|
|
|
|
`fallback-users` entries. The `users` entry is a dictionary that maps
|
|
|
|
|
user names to user descriptions; the `fallback-users` is a list of user
|
|
|
|
|
descriptions that are used with usernames that don't appear in `users`.
|
2021-10-29 23:37:05 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
Every user description is a dictionary with fields `password` and
|
|
|
|
|
`permissions`. The `password` field may be a literal password string, or
|
|
|
|
|
a dictionary describing a hashed password or a wildcard. The
|
2024-05-08 16:00:58 +02:00
|
|
|
|
`permissions` field should be one of `op`, `present`, `message` or
|
|
|
|
|
`observe`. (An array of Galene's internal permissions is also allowed,
|
|
|
|
|
but this is not recommended, since internal permissions may vary from
|
|
|
|
|
version to version).
|
2021-10-29 23:37:05 +02:00
|
|
|
|
|
2024-05-08 16:00:58 +02:00
|
|
|
|
For example, the entry
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"users": {"jch": {"password": "1234", "permissions": "op"}}
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
specifies that user "jch" may login as operator with password "1234", while
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"fallback-users": [{"password": "1234", "permissions": "present"}]
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
allows any username with password *1234*. Finally,
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"fallback-users": [
|
|
|
|
|
{"password": {"type": "wildcard"}, "permissions": "present"}
|
|
|
|
|
]
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2021-10-29 23:37:05 +02:00
|
|
|
|
allows any username with any password.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Hashed passwords
|
2021-01-08 15:36:23 +01:00
|
|
|
|
|
|
|
|
|
If you don't wish to store cleartext passwords on the server, you may
|
2024-10-25 16:20:38 +02:00
|
|
|
|
generate hashed passwords with the `galenectl` utility. A user entry with
|
|
|
|
|
a hashed password looks like this:
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
"users": {
|
|
|
|
|
"jch": {
|
|
|
|
|
"password": {
|
|
|
|
|
"type": "pbkdf2",
|
|
|
|
|
"hash": "sha-256",
|
|
|
|
|
"key": "f591c35604e6aef572851d9c3543c812566b032b6dc083c81edd15cc24449913",
|
|
|
|
|
"salt": "92bff2ace56fe38f",
|
|
|
|
|
"iterations": 4096
|
|
|
|
|
},
|
|
|
|
|
"permissions": "op"
|
2020-11-29 14:26:42 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
2020-05-29 17:49:23 +02:00
|
|
|
|
|
2024-01-02 18:36:09 +01:00
|
|
|
|
|
2023-04-04 23:05:52 +02:00
|
|
|
|
### Stateful tokens
|
|
|
|
|
|
|
|
|
|
Stateful tokens allow to temporarily grant access to a user. In order to
|
|
|
|
|
generate a stateful token, the group administrator types
|
|
|
|
|
|
|
|
|
|
/invite user period
|
|
|
|
|
|
|
|
|
|
where `user` is the username granted to the temporary user, and `period`
|
|
|
|
|
is the time period for which the token will be valid (for example `2d`
|
|
|
|
|
meaning 2 days). The server replies with a link, valid the given time
|
|
|
|
|
period, that may be sent to the temporary user for example by e-mail.
|
|
|
|
|
|
|
|
|
|
Tokens may also be granted without imposing a specific username:
|
|
|
|
|
|
|
|
|
|
/invite '' 2d
|
|
|
|
|
|
|
|
|
|
Stateful tokens are revokable (use the `/revoke` command) and their
|
|
|
|
|
lifetime may be extended (use the `/reinvite` command).
|
|
|
|
|
|
2021-05-10 23:24:18 +02:00
|
|
|
|
|
2021-10-29 23:37:05 +02:00
|
|
|
|
### Authorisation servers
|
|
|
|
|
|
|
|
|
|
Galene is able to delegate authorisation decisions to an external
|
|
|
|
|
authorisation server. This makes it possible to integrate Galene with an
|
|
|
|
|
existing authentication and authorisation infrastructure, such as LDAP,
|
|
|
|
|
OAuth2 or even Unix passwords.
|
|
|
|
|
|
|
|
|
|
When an authorisation server is used, the group configuration file
|
2024-05-11 22:45:52 +02:00
|
|
|
|
specifies one or more public keys in JWK format (with the restriction that
|
|
|
|
|
the "alg" key must be specified). In addition, it may specify either an
|
|
|
|
|
authorisation server or an authorisation portal.
|
2021-10-29 23:37:05 +02:00
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
"authKeys": [{
|
|
|
|
|
"kty": "oct",
|
|
|
|
|
"alg": "HS256",
|
|
|
|
|
"k": "MYz3IfCq4Yq-UmPdNqWEOdPl4C_m9imHHs9uveDUJGQ",
|
|
|
|
|
}, {
|
|
|
|
|
"kty": "EC",
|
|
|
|
|
"alg": "ES256",
|
|
|
|
|
"crv": "P-256",
|
|
|
|
|
"x": "dElK9qBNyCpRXdvJsn4GdjrFzScSzpkz_I0JhKbYC88",
|
|
|
|
|
"y": "pBhVb37haKvwEoleoW3qxnT4y5bK35_RTP7_RmFKR6Q",
|
|
|
|
|
}]
|
2022-02-19 23:58:31 +01:00
|
|
|
|
"authServer": "https://auth.example.org",
|
2021-10-29 23:37:05 +02:00
|
|
|
|
}
|
|
|
|
|
|
2024-05-11 12:29:30 +02:00
|
|
|
|
If multiple keys are provided, then they will all be tried in turn, unless
|
|
|
|
|
the token includes the "kid" header field, in which case only the
|
|
|
|
|
specified key will be used.
|
2021-10-29 23:37:05 +02:00
|
|
|
|
|
2022-02-19 23:58:31 +01:00
|
|
|
|
If an authorisation server is specified, then the default client, after it
|
|
|
|
|
prompts for a password, will request a token from the authorisation server
|
|
|
|
|
and will join the group using token authentication. The password is never
|
|
|
|
|
communicated to the server.
|
|
|
|
|
|
|
|
|
|
If an authorisation portal is specified, then the default client will
|
|
|
|
|
redirect initial client connections to the authorisation portal. The
|
|
|
|
|
authorisation portal is expected to authorise the client and then redirect
|
|
|
|
|
it to Galene with the `username` and `token` query parameters set.
|
|
|
|
|
|
2021-10-29 23:37:05 +02:00
|
|
|
|
|
2021-01-24 16:57:26 +01:00
|
|
|
|
# Further information
|
|
|
|
|
|
|
|
|
|
Galène's web page is at <https://galene.org>.
|
|
|
|
|
|
2021-08-02 02:50:29 +02:00
|
|
|
|
Answers to common questions and issues are at <https://galene.org/faq.html>.
|
2021-01-24 16:57:26 +01:00
|
|
|
|
|
2021-05-10 23:24:18 +02:00
|
|
|
|
|
2021-01-18 20:24:52 +01:00
|
|
|
|
-- Juliusz Chroboczek <https://www.irif.fr/~jch/>
|