Adding domain to authentication on FreeRadius - freeradius

I've currently installed freeradius on a CentOS server so that I can use a MFA with google authenticator.
The main purpose is the user submits it's username and password(with GoogleAuth code added to password) and freeradius checks against a AD Server if its ok to access.
Well so far so good the Radius server comunicates with AD and validates the user as long as the username has the format user#domain.local
I wanted to be able to allow the user to only submit the username and not adding the #domain.local to the "textbox"
Is there anyway I can tell freeradius pam module to add the suffix to the authentication ?

Related

Hiding the IP address and port of my Authorization Server

I consider building a web application and I want to use OAuth2 protocol for the authentication and authorization of users.
I know that Client Server redirects user to Authorization Server to enter username and password. Thus, user can see the URL of login page on browser. I do not want to show what is written on url actually to user due to security reasons. I do not want to expose my Authorization Server with an host name and port to public.
As a solution, I decided Client Server act on behalf of user(browser). That means, client server will send get login page request and return the response (html) coming from Authorization Server. This is simple and I am able to serve login page on Client Server, but I do not know how can I make a request model (client-id, client-secret, redirect-uri, username, password) and where I will send request to (for example "/oauth2/authorize" and then "/oauth2/token") manually. I should apply all the steps in the right order. Can you suggest me this approach? or do you have any idea to achieve hiding the Authorization Server from public? or that is not so important?

'Provided Authorization Grant is invalid' error while trying to login a dockerized application using wso2

I have dockerized our Angular application which have been using WSO2 as API manager . After doing the configurations, i was able to run the application successfully and able to hit all existing api's. The only issue arises when i tried to use oath2/token api for performing login operation of our customer . Even though, the same code was used to perform authentication earlier(before dockerization) without any issues,now i am getting error as
{
"error": "invalid_grant",
"error_description": "Provided Authorization Grant is invalid"
}
Token generation api for login :
https://<myapplicationurl>:9443/oauth2/token
Errors am getting in docker console while trying to login using username 'devtest7#mailinator.com' :
Things to note :
WSO2 AM version is 2.1.0 , WSO2 IS version is 5.3.0
Arguments(headers & parameters) for the request is the same as that
used earlier(except the username and password).
I am able to create a new users and the corresponding user is listed
in Carbondb users list.
The issue exists while trying to login using existing user as well as
newly created users.
I have recently generated new ssl certificate for the application.
Able to login using super admin only . Login using newly created email and username is not working.
I tried solutions seen on stackoverflow which doesn't fixed my issues. Can any one please help?
There is a line in the above logs saying that SP tenant is not equal to user tenant and SP is not SaaS. Are the SP and users are from different tenants? Normally users cannot access SP across different tenants.
If you want to make the SP accessible across different tenants then you need to enable SaaS application option in the SP. Check this doc to learn more about SaaS application https://docs.wso2.com/display/IS530/Adding+and+Configuring+a+Service+Provider
Thanks for everyone who commented and tried to figure out the solution for the issue i mentioned. I got the resolution for the issue . As i tried multiple times to login by doing permutations and combinations in configurations, authentication was blocked for me. As a reason, i couldn't login and generate access token . I was able to resolve it by changing a flag in identity.xml file inside IS .
Changed the UserOperationEventListener enabling from 'true' to 'false' .
Before:
<EventListener enable="true" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
After:
<EventListener enable="false" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
This change allowed me to block the invalid authentication check. We are anyway adding that check from our code side.
According to the logs, it says
Non-SaaS service Provider's tenant domain is not same as user tenant
domain; carbon.super != mailinator.com
From the logs, the SP's is in the carbon.super tenant. But it considers the user as in the tenant mailinator.com.
When we specify the username for password grant with email as username, we have to use the full username with the tenant domain. (devtest7#mailinator.com#carbon.super).

Google OAuth 2 Refresh Token is Missing for Web App but Present for localhost

Problem: Missing OAuth 2 Refresh Token.
The problem is that the localhost version receives a Refresh Token as part of the granted token but the same code running in GCE does not.
Details:
I have written a Python Flask application that implements Google OAuth 2.0. This web application runs in the cloud with a verified domain name, valid SSL certificate and HTTPS endpoint. This web application unmodified also runs as localhost. The differences between the runtime is that the localhost version does not use TLS. There are no other differences in the code flow.
Other than the Refresh Token is missing and I cannot automatically renew a token, everything works perfectly.
I have researched this issue extensively. API problems such as access_type=offline etc are correctly implemented otherwise I would not get a Refresh Token in the localhost version.
I am using the requests_oauthlib python library.
gcp = OAuth2Session(
app.config['gcp_client_id'],
scope=scope,
redirect_uri=redirect_uri)
# print('Requesting authorization url:', authorization_base_url)
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="select_account",
include_granted_scopes='true')
session['oauth_state'] = state
return redirect(authorization_url)
# Next section of code after the browser approves the request
token = gcp.fetch_token(
token_url,
client_secret=app.config['gcp_client_secret'],
authorization_response=request.url)
The token has refresh_token when running in localhost but not when running with in the cloud.
This Google document discusses refresh tokens, which indicates that this is supported for web applications.
Refreshing an access token (offline access)
[Update 11/18/2018]
I found this bug report which gave me a hint to change my code from this:
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="select_account",
include_granted_scopes='true')
to this:
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="consent",
include_granted_scopes='true')
Now I am receiving the Refresh Token in the public server version and the localhost version.
Next I searched for documentation on the prompt option and found this:
OpenID Conect prompt
prompt (Optional)
A space-delimited list of string values that specifies whether the
authorization server prompts the user for reauthentication and
consent. The possible values are:
none
The authorization server does
not display any authentication or user consent screens; it will return
an error if the user is not already authenticated and has not
pre-configured consent for the requested scopes. You can use none to
check for existing authentication and/or consent.
consent
The authorization server prompts the user for consent before returning
information to the client.
select_account
The authorization server
prompts the user to select a user account. This allows a user who has
multiple accounts at the authorization server to select amongst the
multiple accounts that they may have current sessions for.
If no value is specified and the user has not previously authorized access, then
the user is shown a consent screen.
I think the Google documentation should be updated. On the same page, the following text appears:
access_type (Optional)
The allowed values are offline and online. The
effect is documented in Offline Access; if an access token is being
requested, the client does not receive a refresh token unless offline
is specified.
That statement caused me a lot of confusion trying to debug why I could not obtain a Refresh Token for the public server version but I could for the localhost version.

freeRadius using EAP with custom auth script

I am attempting to setup a freeradius server to authenticate against a web service. The reason for this is that there is a complicated workflow involving account status and mac address. The workflow seemed out of place to be in freeradius. So my user names, and encrypted passwords are stored remotely to the radius server. Everything works fine using radclient to test. When I started using the the Access Point, I learned it only communicates with the radius server via eap-tls. This means that the User-Password argument is not available for my script.
Is there a way to have eap auth check for user authentication against my script? By this i mean, can i get the password to send to my secondary service?
Alternately, is there a way to get the User-Password from the encrypted eap-message data?
Access points don't usually place restrictions on the EAP type. The device connecting to the AP negotiates an EAP type with FreeRADIUS. If it's using EAP-TLS it's probably a windows machine that hasn't been configured to do anything different.
Investigate EAP flavours to find out which ones are available. If you have EAP-TTLS-PAP you can send the plaintext password from the wireless client, and user it to authenticate against the web service.
In FreeRADIUS v3.0.x there's a rlm_rest module, which can perform basic auth on behalf of the user, with very little configuration.

Rails set basic http Auth Credentials programatically

authenticate_or_request_with_http_basic do |user, password|
user == USER && password == PASSWORD
end
The above code asks for a username and password in a regular fashion (using basic_http_auth)
My idea was to create a user login page , some how check the username & password to be valid and then authenticate him.
Now authenticate him means to create a header that would have been sent by browser if he was actually authenticated via basic_http_auth . i.e to set the simple http auth credentials
The requirement is so because there is another non ruby app that would run on the same domain internally & would check if the user is authenticated via simple_http_auth.
The over all picture would be something like this :
Rails app : authenticates user.
The second non ruby app just checks if the user is authenticated since its under the same domin it can simply access the user_name password send via http_basic auth.
The other idea is to run a rails api service that would determine if the user is logged in or not , and call it via the second app. But I don't prefer doing that.
Hi Gaurav you should try to set your default username and password values with default http setting in "config/initializers " folder inside setup_mail.rb file

Resources