-
-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Poor Documentation #361
Comments
Thank you for your report. The documentation might not be complete. As you mentioned, I have a head start, and I’m open to documentation improvements from the community as well. However, some of your expectations are not within the scope of openvpn-auth-oauth2. openvpn-auth-oauth2 is a server-exclusive add-on. It cannot control any client-side behavior. Regarding the documentation, notable client-side mechanics will be documented in the context of the standard OpenVPN client. It seems like you are using Viscosity.
As I mentioned, openvpn-auth-oauth2 doesn’t have any control over client semantics. If you are using OpenVPN for Windows or Tunnelblick for Mac, you can achieve that. Both client implementations open a new browser window.
That's a good point, and I will improve the documentation here. In its default configuration, openvpn-auth-oauth2 does not store any tokens. If openvpn-auth-oauth2 runs in OIDC mode (with no endpoints configured via CLI), and If There is no known mechanism to log out the user without interaction. According to https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout, openvpn-auth-oauth2 must redirect the end-user to the OIDCProviderEndSessionEndpoint. However, this is not possible because OpenVPN does not offer a mechanism to open the client’s browser session at disconnect. OIDC session revocation is a long-standing discussion in general. The known approach, as far as I’m aware, is to reduce the timeout to a minimum to lower the risk of a session takeover. To my knowledge, openvpn-auth-oauth2 can only revoke tokens and cannot control the end-user’s session without interaction.
That’s correct; there is nothing to manage.
Did you read the documentation? https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Layout-Customization
The solution is feature-complete, and there is a working demo available. Most issues depend on the end-user’s environment, which is not known to me. There are multiple confirmations that the product works as expected. |
Current Behavior
Team,
you have a head start on complete product. however, the documentation lacks the following:
Expected Behavior
when openvpn is launched, it should spawn a new browser window that will redirect to keycloak and close the wirndow upon successful login.
Upon openvpn disconnects the connection, keycloak should logout the server via: https:///realms//protocol/openid-connect/logout (OIDCProviderEndSessionEndpoint) and not relay on Keycloak to timeout the session.
there is no UI to manage HTTP server on default port 9000 nor there is an example on where to place the index.html and its customization.
Steps To Reproduce
No response
Environment
openvpn-auth-oauth2 logs
openvpn server logs
Anything else?
This is a great start. Complete solution is required prior to publishing the product as main stream.
The text was updated successfully, but these errors were encountered: