On Thu, Jan 23, 2020 at 3:36 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > Even if not, if the bearer token is persistent and just stored > alongside the VPN configuration, we need a way for libopenconnect to > provide it; please either add an API for it in addition to the command- > line option you add in main.c, or let's see if we can work it into the > generic form handling as a specific thing that gets requested. I just left a review on this MR. Couple small issues around enable-by-default that could use eyeballs. https://gitlab.com/openconnect/openconnect/-/merge_requests/70 > For example, if we see an 'Authorization: Bearer' challenge and we > *don't* already have a token, we could present the user with a form > asking for the token? You still need a wrapper or something to provide > it, but it fits into the NetworkManager secret storage model without > any changes that way. The Bearer token could also be supported via… * `--token-mode=BEARER --token-secret=(string or filename)`, same as RSA or OATH tokens, rather than adding a new `--bearer-token` option. That way, we wouldn't need to add any new API functions, and GUIs could support it simply by adding a new option to their token mode dropdown. The Bearer would be treated basically like an RSA or OATH secret: something that the user has to configure ahead of time, rather than enter on-the-fly. Upside: no new API functions. Downside: this probably isn't the way the Bearer token is used in the real world. It probably doesn't remain valid for a long time. * Treating it as an alternative that replaces the password, much like the GlobalProtect+SAML “alternative secret.” Perhaps add an `--alt-secret=[BEARER, GP-cookie-name]` option to integrate the two? Upside: probably closer to the way it's actually used. Would allow us to get rid of my horrid GP urlpath hack, or at least replace it 😬 Downside: still doesn't give OpenConnect a way to do the whole auth flow from the CLI/API, or integrate with a GUI auth dialog. Thanks, Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
