On Wed, 2020-01-22 at 20:05 +0000, Alan Jowett wrote: > OpenConnect folks, > > Patch to add support to the OpenConnect client to send RFC6750 style bearer tokens during establishment of the TLS tunnel. > > Background: > My team is working on a feature to support using OpenID Connect > tokens (https://openid.net/specs/openid-connect-core-1_0.html) to > authenticate and authorize clients connecting to an OpenConnect > server. There are growing list of OpenID Connect providers that this > should work with, making this change fairly broadly applicable. Looks like Alan added an issue here: https://gitlab.com/openconnect/openconnect/issues/99 I'll point out that this is in some ways similar to the "alternative secret" junk that I have to do for GlobalProtect+SAML to work. What the two have in common is that authentication uses some alternative cookie field instead of the usual password field — and this field can't be autodetected from the "normal" authentication forms sent by the server. If I've got that right, then hopefully we can unify the API for these "alternative secrets". What we're currently doing with GP+SAML is jamming ":ALT_SECRET_FIELD" onto the end of the URL path, and parsing it out from there: https://gitlab.com/openconnect/openconnect/blob/master/auth-globalprotect.c#L573-582 That's fairly horrid… it'd be good to have a uniform mechanism to specify this via the command-line AND the libopenconnect API. -Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
