Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • ocserv ocserv
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 79
    • Issues 79
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 11
    • Merge requests 11
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • OpenConnect VPN projectsOpenConnect VPN projects
  • ocservocserv
  • Issues
  • #240
Closed
Open
Issue created Jan 27, 2020 by Alan Jowett@Alan_JowettDeveloper

Add support for RFC6750 bearer tokens to ocserv to permit the validation of OpenID Connect auth tokens

OpenID Connect is an OAuth 2.0 protocol used to identify a resource owner (VPN client end-user) to a resource server (VPN server) intermediated by an Authorization server.

 +--------+                               +---------------+
 |        |--(A)- Authorization Request ->|   Resource    |
 |        |                               |     Owner     |
 |        |<-(B)-- Authorization Grant ---|               |
 |        |                               +---------------+
 |        |
 |        |                               +---------------+
 |        |--(C)-- Authorization Grant -->| Authorization |
 | Client |                               |     Server    |
 |        |<-(D)----- Access Token -------|               |
 |        |                               +---------------+
 |        |
 |        |                               +---------------+
 |        |--(E)----- Access Token ------>|    Resource   |
 |        |                               |     Server    |
 |        |<-(F)--- Protected Resource ---|               |
 +--------+                               +---------------+

There are fairly wide variety of public OpenID Connect providers available, including Google, Microsoft and others as well as a variety of OpenID Connect client libraries.

Once this work is completed on both client and server, the following flow is possible.

  1. User launches the VPN client, either explicitly or on-demand.
  2. VPN client queries the identity platform to obtain an id token.
  3. Identity platform determines if it already has an id token or authorization grant.
    • Valid ID token - Return the token
    • Valid authorization grant - Silently obtain a id token and return the token
    • No valid grant - Login to the authorization server, either explicitly or implicitly (assuming identity federation), then obtain the id token and return it.
  4. VPN client then uses the id token to connect to the VPN server

In the ideal case, the user is connected to the VPN server with out any prompts, either because the user is already logged into the authorization server or because they have identity federation enabled.

Assignee
Assign to
Time tracking