Discussion:
OpenID Connect (RP) plugin
b***@gmail.com
2021-06-03 00:00:31 UTC
Permalink
Hello.

I'd like to configure a Cyrus deployment to use an OpenID Connect Provider (Keycloak server) for authentication purposes.

I couldn't find any off-the-shelf / pre-existing connector.  So I thought I'd write one, and make it available to the Community.

I presume the ideal extension point for this in Cyrus is to develop a SASL-plugin that implements OpenID Connect client (RP / Relying Party) functionality.

I just wanted to ask here first if -
a) it's something that's already been done / tried / abandoned before,  
b) I have the right extension point in mind for Cyrus (include/saslplug.h), and
c) might be useful to others.

rgds,
Brenton

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T507fc7ab05af3690-Mc18c1e4a0ec63d82ef3486eb
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
Rick van Rein
2021-06-03 07:31:11 UTC
Permalink
Hi Brenton,
Post by b***@gmail.com
I'd like to configure a Cyrus deployment to use an OpenID Connect Provider (Keycloak server) for authentication purposes.
Interesting. Especially if you do it in such a way that it is not just
usable for HTTP clients but also for, say, IMAP, SMTP and LDAP.

I may be confusing OpenID versions here, but you are aware of the
OPENID20 mechanism defined in RFC 6616?
Post by b***@gmail.com
I couldn't find any off-the-shelf / pre-existing connector. So I thought I'd write one, and make it available to the Community.
Possibly related, we are working on an embedding of SASL in HTTP,
https://datatracker.ietf.org/doc/html/draft-vanrein-diameter-sasl

The intention here is to allow embedding any SASL mechanism in HTTP as
in other protocols. I think OpenID defines its own ways but if it is
like SAML and supports a variety of protocol embeddings than this could
be helpful.
Post by b***@gmail.com
c) might be useful to others.
It is always useful when SASL connectivity improves. Especially when
the code is available to all.

-Rick

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T507fc7ab05af3690-Mc3cc77b7f60ee314f60eb1ad
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
Rick van Rein
2021-06-03 07:35:52 UTC
Permalink
Sorry,
Post by Rick van Rein
Possibly related, we are working on an embedding of SASL in HTTP,
https://datatracker.ietf.org/doc/html/draft-vanrein-diameter-sasl
I should have sent
https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl

The link above is related; it is how a service can make a connection to a domain's IdP; pretty much what OpenID Connect is also doing, but SASL-styled.

This is all work in progress, the specs seem sound as our implementation work demonstrates.

-Rick

------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T507fc7ab05af3690-M16bde4e1c9f0988a3b0587f4
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
Loading...