Implementing a "psuedo" device code flow for SAML-based authentication with AnyConnect gateways
Rahul Rameshbabu
sergeantsagara at protonmail.com
Sun Nov 13 14:49:46 PST 2022
Hi,
One use case I keep running into is authenticating on a headless system
(imagine getty tty session only) with the SAML auth flow for an
AnyConnect gateway. I would like to be able to do so without needing to
remote port forward over ssh for the socket openconnect opens during the
external browser auth process.
Below is a diagram illustrating my high level understanding of the
external browser auth process.
------------------------ ------------------------
| Openconnect queries | | external-browser |
| Anyconnect gateway | ---> | capability available | ----
| capabilities | | , use if flagged for | |
------------------------ ------------------------ |
|
|
------------------------ ------------------------- |
| Receive base64 blob | | socket server on port | |
| sent by HTTP GET | <--- | 29786. Spawn browser. | <--
---- | through the browser | | Begin auth flow. |
| | (JavaScript does not | -------------------------
| | initiate the request |
| ------------------------
|
| --------------------------
| | Socket server responds |
| | to browser with an |
| | HTTP 302 to a "pretty" |
---> | static success page |
| provided by the |
| AnyConnect gateway |
--------------------------
ref: https://gitlab.com/openconnect/openconnect/-/blob/ae96f9c8bb72466872edb82d9ec73add8630148b/hpke.c#L56-64
Taking advantage of the external browser authentication architecture, I
would like to attempt doing something like the diagram below.
------------------------ ------------------------
| Openconnect queries | | external-browser |
| Anyconnect gateway | ---> | capability available | ----
| capabilities | | , use if flagged for | |
------------------------ ------------------------ |
|
-------------------------------------------------------------------------
| Psuedo-device code flow | |
| | |
| ------------------------ ------------------------- | |
| | Receive base64 blob | | Output link + QR code | | |
| | sent by HTTP GET | <--- | (opened/scanned by | <-- |
| ---- | through the browser | | authenticating device)| |
| | | (JavaScript does not | ------------------------- |
| | | initiate the request)| |
| | ------------------------ |
| | |
| | -------------------------- --------------------------- |
| | | HTTP GET request fails | | User copies base64 blob | |
| | | because there is no | | into input prompt. | |
| ---> | server to handle the | --> | Openconnect establishes | |
| | request. base64 blob | | the VPN connection. | |
| | stuck in URL bar | --------------------------- |
| -------------------------- |
| |
-------------------------------------------------------------------------
An external device is typically needed in MFA setups anyways, so moving
the authetication process to an external device altogether seemed
logical in this situation. I wanted to get opinions before starting any
implementation work on this.
-- Rahul Rameshbabu
More information about the openconnect-devel
mailing list