[pve-devel] OAuth2 Authentication

[Andreas Steinel]

Hi Dietmar,

On Wed, Mar 28, 2018 at 5:17 PM, Dietmar Maurer <dietmar at proxmox.com> wrote:
> I though OAuth2 is not even a authentication protocol, so how do you
> want to implement authentication on top of OAuth2? OpenID connect?

Both should work (at least with GitLab). I just tried - for another
project - the OAuth2 authentication based on OpenID with Apache
(mod_auth_openidc, [1]) to GitLab's OpenID compatibility layer to its
OAuth2 and documented it in the project's wiki. It was - in the end -
very straight-forward and simple to set up.

I'm going to have a look at the available perl modules for OAuth2 and
I hope it'll be a drop-in-replacement for our current LDAP-backed
authentication on PVE. OAuth2 authentication normally works similar to
this:

- client app has a unique ID and secret that has to be registered with
the OAuth2 server, as well a redirect-back url. This authorised the
client app on the authentication server.
- client app just redirects to the authentication server in which the
user will authenticate (or already has) and gets redirected back to
client app with e.g. the username and a positive response
- client app now knows the authenticated users name and can proceed
- authorisation has to be done on the client, so no further things
like groups etc. are used, but it does exactly what is needed for PVE
(or at least what I understand what is required for LDAP)

Best,
Andreas

[1] https://github.com/zmartzone/mod_auth_openidc/wiki