Add support for RFC6750 bearer tokens to ocserv to permit the validation of OpenID Connect auth tokens
OpenID Connect is an OAuth 2.0 protocol used to identify a resource owner (VPN client end-user) to a resource server (VPN server) intermediated by an Authorization server.
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+There are fairly wide variety of public OpenID Connect providers available, including Google, Microsoft and others as well as a variety of OpenID Connect client libraries.
Once this work is completed on both client and server, the following flow is possible.
- User launches the VPN client, either explicitly or on-demand.
- VPN client queries the identity platform to obtain an id token.
- Identity platform determines if it already has an id token or authorization grant.
- Valid ID token - Return the token
- Valid authorization grant - Silently obtain a id token and return the token
- No valid grant - Login to the authorization server, either explicitly or implicitly (assuming identity federation), then obtain the id token and return it.
- VPN client then uses the id token to connect to the VPN server
In the ideal case, the user is connected to the VPN server with out any prompts, either because the user is already logged into the authorization server or because they have identity federation enabled.