https://gitlab.com/openconnect/ocserv/-/merge_requests/128 I believe this feature is now at the point where it makes sense to start the process of reviewing this merge request. The change includes the new bearer auth module as well as a set of tests to verify correct handling of tokens. Note: This change is off by default and until 'configure --enable-bearer-auth' this should be entirely a no-op. Goals for this change at a high level: Permit AuthN/AuthZ decisions to be made based on the claims presented by a client during connection establishment. Claims are in embedded in a signed OpenID Connect token and sent as Bearer tokens in HTTP headers. Administrator can configure what claims are accepted to control the AuthZ behavior. This change was tested using Azure's OpenID Connect provider, but should function with Google and other OIDC providers that correctly follow the spec. To configure bearer auth, add the following to the .config file: auth = "bearer[config=<path to config file>]" Config file is JSON with the following format: { "openid_configuration_url": "< uri of openid-configuration doc>", "user_name_claim": "preferred_username", "required_claims": { "aud": "SomeAudience", "iss": "SomeIssuer" } } Example openid-configuration doc URIs are: https://accounts.google.com/.well-known/openid-configuration https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration Required claims controls what claims must be present in a token to permit access. See your OpenID Connect provider for details on claims and OpenID Connect metadata document URL. Future work: TLS channel binding of the token. Support for multi-value claims (i.e. group membership). _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel