1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-11-22 16:45:58 +01:00

Implement authPortal.

This commit is contained in:
Juliusz Chroboczek 2022-02-19 23:58:31 +01:00
parent a86fb08f6c
commit a9c9581465
3 changed files with 24 additions and 7 deletions

18
README
View file

@ -94,7 +94,7 @@ following fields are allowed:
definitions (see *Authorisation* below) and specifies the users allowed definitions (see *Authorisation* below) and specifies the users allowed
to connect respectively with operator privileges, with presenter to connect respectively with operator privileges, with presenter
privileges, and as passive listeners; privileges, and as passive listeners;
- `authServer` and `authKeys`: see *Authorisation* below; - `authKeys`, `authServer` and `authPortal`: see *Authorisation* below;
- `public`: if true, then the group is visible on the landing page; - `public`: if true, then the group is visible on the landing page;
- `displayName`: a human-friendly version of the group name; - `displayName`: a human-friendly version of the group name;
- `description`: a human-readable description of the group; this is - `description`: a human-readable description of the group; this is
@ -201,11 +201,10 @@ existing authentication and authorisation infrastructure, such as LDAP,
OAuth2 or even Unix passwords. OAuth2 or even Unix passwords.
When an authorisation server is used, the group configuration file When an authorisation server is used, the group configuration file
specifies the URL of the authorisation server and one or more public keys specifies one or more public keys in JWK format. In addition, it may
in JWK format: specify either an authorisation server or an authorisation portal.
{ {
"authServer": "https://auth.example.org",
"authKeys": [{ "authKeys": [{
"kty": "oct", "kty": "oct",
"alg": "HS256", "alg": "HS256",
@ -219,12 +218,23 @@ in JWK format:
"y": "pBhVb37haKvwEoleoW3qxnT4y5bK35_RTP7_RmFKR6Q", "y": "pBhVb37haKvwEoleoW3qxnT4y5bK35_RTP7_RmFKR6Q",
"kid": "20211101" "kid": "20211101"
}] }]
"authServer": "https://auth.example.org",
} }
The `kid` field serves to distinguish among multiple keys, and must match The `kid` field serves to distinguish among multiple keys, and must match
the value provided by the authorisation server. If the server doesn't the value provided by the authorisation server. If the server doesn't
provide a `kid`, the first key with a matching `alg` field will be used. provide a `kid`, the first key with a matching `alg` field will be used.
If an authorisation server is specified, then the default client, after it
prompts for a password, will request a token from the authorisation server
and will join the group using token authentication. The password is never
communicated to the server.
If an authorisation portal is specified, then the default client will
redirect initial client connections to the authorisation portal. The
authorisation portal is expected to authorise the client and then redirect
it to Galene with the `username` and `token` query parameters set.
# Further information # Further information

View file

@ -972,11 +972,14 @@ type Description struct {
// A list of logins for non-presenting users. // A list of logins for non-presenting users.
Other []ClientPattern `json:"other,omitempty"` Other []ClientPattern `json:"other,omitempty"`
// The URL of the authentication server. // The (public) keys used for token authentication.
AuthKeys []map[string]interface{} `json:"authKeys"`
// The URL of the authentication server, if any.
AuthServer string `json:"authServer"` AuthServer string `json:"authServer"`
// The (public) keys of the authentication server // The URL of the authentication portal, if any.
AuthKeys []map[string]interface{} `json:"authKeys"` AuthPortal string `json:"authPortal"`
// Codec preferences. If empty, a suitable default is chosen in // Codec preferences. If empty, a suitable default is chosen in
// the APIFromNames function. // the APIFromNames function.
@ -1152,6 +1155,7 @@ type Status struct {
DisplayName string `json:"displayName,omitempty"` DisplayName string `json:"displayName,omitempty"`
Description string `json:"description,omitempty"` Description string `json:"description,omitempty"`
AuthServer string `json:"authServer,omitempty"` AuthServer string `json:"authServer,omitempty"`
AuthPortal string `json:"authPortal,omitempty"`
Locked bool `json:"locked,omitempty"` Locked bool `json:"locked,omitempty"`
ClientCount *int `json:"clientCount,omitempty"` ClientCount *int `json:"clientCount,omitempty"`
} }
@ -1162,6 +1166,7 @@ func (g *Group) Status (authentified bool) Status {
Name: g.name, Name: g.name,
DisplayName: desc.DisplayName, DisplayName: desc.DisplayName,
AuthServer: desc.AuthServer, AuthServer: desc.AuthServer,
AuthPortal: desc.AuthPortal,
Description: desc.Description, Description: desc.Description,
} }

View file

@ -3779,6 +3779,8 @@ async function start() {
username = parms.get('username'); username = parms.get('username');
token = parms.get('token'); token = parms.get('token');
await serverConnect(); await serverConnect();
} else if(groupStatus.authPortal) {
window.location.href = groupStatus.authPortal;
} else { } else {
let container = document.getElementById("login-container"); let container = document.getElementById("login-container");
container.classList.remove('invisible'); container.classList.remove('invisible');