Page 1 of 1

WEB_AUTH, am i doing it right?

Posted: Mon Jul 04, 2022 12:40 pm
by nimrof
Playing a little bit with WEB_AUTH and i just want to check if i am doing somthing silly.

This is my test setup:
1. Ovpn server running with management-client-auth configured
2. Script that monitors the management interface and looking for connection events
3. Webserver that does the sso authentication

When script detects a connection and checks that is supports web_auth, it then sends WEB_AUTH:external[or other flag]:{long_random_string} to the connection id and signals the webserver to expect a connection with the random string.

The webserver gets a connection that matches the random string
user signs in
Webserver signals the script to accept the connection.
User is connected.

There is no way to tell the opevpn server to change the cn based on web sign-in, so the information on who is connection on what connection id needs to be stored somewhere outside openvpn.

Does this sound right?