Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Poor Documentation #361

Open
mohankchandrashekar opened this issue Dec 1, 2024 · 1 comment
Open

Poor Documentation #361

mohankchandrashekar opened this issue Dec 1, 2024 · 1 comment
Labels
🐞 bug Something isn't working

Comments

@mohankchandrashekar
Copy link

Current Behavior

Team,

you have a head start on complete product. however, the documentation lacks the following:

  1. pop-up window that prompts for login id/password and closes the window upon successful login
  2. when user logs out OIDC/Keyloak should execute proper logout from keyloak .. this is a security issue as some hacker can take over the existing session
  3. proper UI should be in place to manage the HTTP Server... config.yaml is not sufficient -- incomplete documentation

Expected Behavior

when openvpn is launched, it should spawn a new browser window that will redirect to keycloak and close the wirndow upon successful login.

Upon openvpn disconnects the connection, keycloak should logout the server via: https:///realms//protocol/openid-connect/logout (OIDCProviderEndSessionEndpoint) and not relay on Keycloak to timeout the session.

there is no UI to manage HTTP server on default port 9000 nor there is an example on where to place the index.html and its customization.

Steps To Reproduce

No response

Environment

  • openvpn-auth-oauth2 Version:
  • OpenVPN Server Version:
  • Server OS:
  • OpenVPN Client (flavor, OS):
  • OIDC Provider:

openvpn-auth-oauth2 logs

viscositytechnology.com reason=ESTABLISHED session_id=sIgsh7Hr8X5ztYWj session_state=Initial vpn_ip=192.168.255.2
2024-11-30T18:03:06.501037-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:06.500-06:00 level=WARN msg="Bad Request: state is empty" error_id=f14ee2c5427ab176b81ff15609e5de2f9e62f0c185703c0d5f96d3a0ddc980b5
2024-11-30T18:03:06.504771-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:06.500-06:00 level=ERROR msg="executing template: template: : \"\" is an incomplete or empty template"
2024-11-30T18:03:06.504934-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:06.500-06:00 level=ERROR msg="http: superfluous response.WriteHeader call from github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2.writeError (handler.go:301)"
2024-11-30T18:03:15.385246-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:15.384-06:00 level=WARN msg="Bad Request: state is empty" error_id=fac711a3d109dbe85d9a122701022e3005cd8271d3f4b9f4b91f2b37faed8b2f
2024-11-30T18:03:15.385459-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:15.384-06:00 level=ERROR msg="executing template: template: : \"\" is an incomplete or empty template"
2024-11-30T18:03:15.385583-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:15.384-06:00 level=ERROR msg="http: superfluous response.WriteHeader call from github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2.writeError (handler.go:301)"
2024-11-30T18:03:19.043000-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:19.042-06:00 level=WARN msg="Bad Request: state is empty" error_id=b0db3cd116eed7e064e9053abc11d224dc0376750ac8da7b5d6cdc93e30d54ce
2024-11-30T18:03:19.043200-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:19.042-06:00 level=ERROR msg="executing template: template: : \"\" is an incomplete or empty template"
2024-11-30T18:03:19.043295-06:00 ovpnoauth openvpn-auth-oauth2[35769]: time=2024-11-30T18:03:19.042-06:00 level=ERROR msg="http: superfluous response.WriteHeader call from github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2.writeError (handler.go:301)"

openvpn server logs

Openvpn connect without issue. Upon on disconnect the session still persists on Keycloak this is a huge security issue.

Anything else?

This is a great start. Complete solution is required prior to publishing the product as main stream.

@mohankchandrashekar mohankchandrashekar added the 🐞 bug Something isn't working label Dec 1, 2024
@jkroepke
Copy link
Owner

jkroepke commented Dec 1, 2024

Hi @mohankchandrashekar,

Thank you for your report.

The documentation might not be complete. As you mentioned, I have a head start, and I’m open to documentation improvements from the community as well.

However, some of your expectations are not within the scope of openvpn-auth-oauth2.

openvpn-auth-oauth2 is a server-exclusive add-on. It cannot control any client-side behavior. Regarding the documentation, notable client-side mechanics will be documented in the context of the standard OpenVPN client.

It seems like you are using Viscosity.

pop-up window that prompts for login id/password and closes the window upon successful login
...
when openvpn is launched, it should spawn a new browser window that will redirect to keycloak and close the window upon successful login.

As I mentioned, openvpn-auth-oauth2 doesn’t have any control over client semantics. If you are using OpenVPN for Windows or Tunnelblick for Mac, you can achieve that. Both client implementations open a new browser window.

when user logs out OIDC/Keycloak should execute proper logout from Keycloak .. this is a security issue as some hacker can take over the existing session

That's a good point, and I will improve the documentation here.

In its default configuration, openvpn-auth-oauth2 does not store any tokens.

If openvpn-auth-oauth2 runs in OIDC mode (with no endpoints configured via CLI), and oauth2.refresh.enabled is set to true while oauth2.refresh.use-session-id is set to false (default), then openvpn-auth-oauth2 will execute the revoke token endpoint. At that point, no active tokens remain for that session.

If oauth2.refresh.use-session-id=true is set (required for a mobile client experience), then the logout will be skipped. There is no indicator if the user experiences a network timeout or explicitly terminates the session.

There is no known mechanism to log out the user without interaction. According to https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout, openvpn-auth-oauth2 must redirect the end-user to the OIDCProviderEndSessionEndpoint. However, this is not possible because OpenVPN does not offer a mechanism to open the client’s browser session at disconnect.

OIDC session revocation is a long-standing discussion in general. The known approach, as far as I’m aware, is to reduce the timeout to a minimum to lower the risk of a session takeover. To my knowledge, openvpn-auth-oauth2 can only revoke tokens and cannot control the end-user’s session without interaction.

there is no UI to manage HTTP server on default port 9000

That’s correct; there is nothing to manage.

nor there is an example on where to place the index.html and its customization.

Did you read the documentation?

https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Layout-Customization

Complete solution is required prior to publishing the product as mainstream.

The solution is feature-complete, and there is a working demo available. Most issues depend on the end-user’s environment, which is not known to me. There are multiple confirmations that the product works as expected.

@jkroepke jkroepke mentioned this issue Dec 1, 2024
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🐞 bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants