Configure rlm_rest module to allow token authentication
Hi all, I'm working on the django-freeradius project. First of all, Thanks for the help on session limits feature. Now we wish to put restrictions on the API and therefore are thinking to go with Token authentication for each organization/ app. Can anyone tell me how to configure FreeRADIUS to allow token authentication, i.e., dealing with the requests having a token parameter? Also, it would be great to know if multiple tokens can be authorized, for ex., each user/ a group of users having a single token. Thank you, Rohith ASRK
On Jul 9, 2018, at 7:17 AM, Rohith Asrk <rohith.asrk@gmail.com> wrote:
I'm working on the django-freeradius project. First of all, Thanks for the help on session limits feature. Now we wish to put restrictions on the API and therefore are thinking to go with Token authentication for each organization/ app.
Can anyone tell me how to configure FreeRADIUS to allow token authentication, i.e., dealing with the requests having a token parameter?
The question is where does the token go? i.e. which attribute carries the token?
Also, it would be great to know if multiple tokens can be authorized, for ex., each user/ a group of users having a single token.
Sure. Multiple users / groups can have the same password, for example. Tokens are similar. Alan DeKok.
Hi Alan, We want to send a token in the Authorization header of the HTTP request. Something like Authorization: Bearer <token> and authenticate users against the tokens and their respective checks as well. So, token here is just an additional check that we are putting on the user/ group of users. Thanks, Rohith ASRK
I just want the FreeRADIUS daemon to receive such requests and probably extract the token from header and authenticate against it. Would it be possible? On Tue, Jul 10, 2018, 2:10 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jul 9, 2018, at 4:19 PM, Rohith Asrk <rohith.asrk@gmail.com> wrote:
We want to send a token in the Authorization header of the HTTP request.
I don't think the module has provisions for customizing that header.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 9, 2018, at 5:07 PM, Rohith Asrk <rohith.asrk@gmail.com> wrote:
I just want the FreeRADIUS daemon to receive such requests and probably extract the token from header and authenticate against it.
"such requests"... again, what is in the requests? Which attribute in the RADIUS packet are you using? You need to be specific here. And again, the rest module doesn't support custom authorization headers. The module has documentation, and it works as documented. Figure out what RADIUS attribute has the information. Read the REST documentation to see how to configure it. Then, configure the REST module to use that RADIUS attribute. If you have specific questions, then ask *specific* questions. Right now, all I know is you want something to do with RADIUS and HTTP. But you haven't given any details which let me give you a specific answer. Q: Can I do stuff? A: Yes, you can do stuff. Q: How? A: I have no idea. It depends on what stuff you want to do Alan DeKok.
Sorry Alan for not being specific in the previous mail. We want the RADIUS daemon to receive HTTP requests containing authorization headers like "Authorization: Bearer <token>" and authenticate users using this token. This is because we want only authorised users to use the APIs we've created in django-freeradius. This seems possible from django's end but not sure how it can be enabled in FreeRADIUS. If it is not possible, I just want to know if FreeRADIUS allows requests which contain authorization headers even if there is no support to authenticate against them. So that we'd put restrictions from the from our web interface and forward requests only if they contain the token in the header. Thank you. Rohith ASRK On Tue, Jul 10, 2018 at 2:45 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 9, 2018, at 5:07 PM, Rohith Asrk <rohith.asrk@gmail.com> wrote:
I just want the FreeRADIUS daemon to receive such requests and probably extract the token from header and authenticate against it.
"such requests"... again, what is in the requests? Which attribute in the RADIUS packet are you using?
You need to be specific here.
And again, the rest module doesn't support custom authorization headers. The module has documentation, and it works as documented.
Figure out what RADIUS attribute has the information. Read the REST documentation to see how to configure it. Then, configure the REST module to use that RADIUS attribute.
If you have specific questions, then ask *specific* questions. Right now, all I know is you want something to do with RADIUS and HTTP. But you haven't given any details which let me give you a specific answer.
Q: Can I do stuff? A: Yes, you can do stuff.
Q: How? A: I have no idea. It depends on what stuff you want to do
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
I actually think I got my basics wrong here. Sorry for all the confusion. Please ignore the previous mail. What I actually need is configuring the FreeRADIUS daemon to send requests to the API. And the API here needs token in the form of a authorization header or a querystring. Can I configure FreeRADIUS to send HTTP requests to the API with bearer authorization in the headers? As of now, the rest module configuration looks like this <http://django-freeradius.readthedocs.io/en/latest/general/freeradius.html> [1]. The API is going to check for tokens in the headers or in the query strings and we want the FreeRADIUS instance to be an authorized user. Links: [1]: http://django-freeradius.readthedocs.io/en/latest/general/freeradius.html Thank you Rohith ASRK On Tue, Jul 10, 2018 at 12:15 PM, Rohith Asrk <rohith.asrk@gmail.com> wrote:
Sorry Alan for not being specific in the previous mail.
We want the RADIUS daemon to receive HTTP requests containing authorization headers like "Authorization: Bearer <token>" and authenticate users using this token. This is because we want only authorised users to use the APIs we've created in django-freeradius.
This seems possible from django's end but not sure how it can be enabled in FreeRADIUS. If it is not possible, I just want to know if FreeRADIUS allows requests which contain authorization headers even if there is no support to authenticate against them. So that we'd put restrictions from the from our web interface and forward requests only if they contain the token in the header.
Thank you. Rohith ASRK
On Tue, Jul 10, 2018 at 2:45 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 9, 2018, at 5:07 PM, Rohith Asrk <rohith.asrk@gmail.com> wrote:
I just want the FreeRADIUS daemon to receive such requests and probably extract the token from header and authenticate against it.
"such requests"... again, what is in the requests? Which attribute in the RADIUS packet are you using?
You need to be specific here.
And again, the rest module doesn't support custom authorization headers. The module has documentation, and it works as documented.
Figure out what RADIUS attribute has the information. Read the REST documentation to see how to configure it. Then, configure the REST module to use that RADIUS attribute.
If you have specific questions, then ask *specific* questions. Right now, all I know is you want something to do with RADIUS and HTTP. But you haven't given any details which let me give you a specific answer.
Q: Can I do stuff? A: Yes, you can do stuff.
Q: How? A: I have no idea. It depends on what stuff you want to do
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
July 10, 2018 1:18 PM, "Rohith Asrk" <rohith.asrk@gmail.com> wrote:
I actually think I got my basics wrong here. Sorry for all the confusion. Please ignore the previous mail.
What I actually need is configuring the FreeRADIUS daemon to send requests to the API. And the API here needs token in the form of a authorization header or a querystring.
Can I configure FreeRADIUS to send HTTP requests to the API with bearer authorization in the headers? As of now, the rest module configuration looks like this <http://django-freeradius.readthedocs.io/en/latest/general/freeradius.html> [1].
The API is going to check for tokens in the headers or in the query strings and we want the FreeRADIUS instance to be an authorized user.
No mention of HTTP auth in the linked doc. So rlm_rest supports a number of options for that, but not bearer. Just adding that as a header might work though: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail...
On Jul 10, 2018, at 6:37 AM, Zenon Mousmoulas <zmousm@noc.grnet.gr> wrote:
July 10, 2018 1:18 PM, "Rohith Asrk" <rohith.asrk@gmail.com> wrote:
I actually think I got my basics wrong here. Sorry for all the confusion. Please ignore the previous mail.
What I actually need is configuring the FreeRADIUS daemon to send requests to the API. And the API here needs token in the form of a authorization header or a querystring.
Can I configure FreeRADIUS to send HTTP requests to the API with bearer authorization in the headers? As of now, the rest module configuration looks like this <http://django-freeradius.readthedocs.io/en/latest/general/freeradius.html> [1].
The API is going to check for tokens in the headers or in the query strings and we want the FreeRADIUS instance to be an authorized user.
No mention of HTTP auth in the linked doc.
So rlm_rest supports a number of options for that, but not bearer. Just adding that as a header might work though:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail...
It does, i've done it. map json "%{rest_subsc:POST https://${modules.rest[rest_subsc].username}:${modules.rest[rest_subsc].password}@${modules.rest[rest_subsc].server}:${modules.rest[rest_subsc].port}/oauthv2/token grant_type=client_credentialst}" { &control:Cache-TTL := '$.expires_in' &control:Tmp-String-0 := '$.access_token' &control:Tmp-String-1 := '$.token_type' } timer_record_rest_subsc if (&reply:REST-HTTP-Status-Code && (&reply:REST-HTTP-Status-Code != 200)) { fail } # Access token should be pre-base64 encoded by the server update control { &REST-HTTP-Header += "Authorization: Bearer %{control:Tmp-String-0}" } # Issue request with new token rest The map/json/rest xlat are all specific to v4 for, so you'd need to figure out how to do it on your own in v3. I'd recommend caching the token using the cache module once you have it. -Arran
Hi Arran and Zenon, Thank you for your replies. I've tried configuring my authorize section to send a token in the bearer header whenever a authorize request is sent. I've failed at doing it maybe because I'm a beginner to FreeRADIUS. My authorize section looks like the following. authorize { uri = "${..connect_uri}/api/authorize/" method = 'post' body = 'json' data = '{"username": "%{User-Name}", "password": "%{User-Password}"}' tls = ${..tls} # Confused about this section. update control { &REST-HTTP-Header += "Authorization: Bearer token123" } rest } I tried testing it using the radtest command. I see that there are no headers being set. I'm using FreeRADIUS version 3.0.15 on Fedora (Redhat). Can you please help me out with this? On Tue, Jul 10, 2018 at 5:12 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On Jul 10, 2018, at 6:37 AM, Zenon Mousmoulas <zmousm@noc.grnet.gr> wrote:
July 10, 2018 1:18 PM, "Rohith Asrk" <rohith.asrk@gmail.com> wrote:
I actually think I got my basics wrong here. Sorry for all the confusion. Please ignore the previous mail.
What I actually need is configuring the FreeRADIUS daemon to send requests to the API. And the API here needs token in the form of a authorization header or a querystring.
Can I configure FreeRADIUS to send HTTP requests to the API with bearer authorization in the headers? As of now, the rest module configuration looks like this <http://django-freeradius.readthedocs.io/en/latest/ general/freeradius.html> [1].
The API is going to check for tokens in the headers or in the query strings and we want the FreeRADIUS instance to be an authorized user.
No mention of HTTP auth in the linked doc.
So rlm_rest supports a number of options for that, but not bearer. Just adding that as a header might work though:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/ raddb/mods-available/rest#L84
It does, i've done it.
map json "%{rest_subsc:POST https://${modules.rest[rest_ subsc].username}:${modules.rest[rest_subsc].password}@${ modules.rest[rest_subsc].server}:${modules.rest[rest_subsc].port}/oauthv2/token grant_type=client_credentialst}" { &control:Cache-TTL := '$.expires_in' &control:Tmp-String-0 := '$.access_token' &control:Tmp-String-1 := '$.token_type' }
timer_record_rest_subsc
if (&reply:REST-HTTP-Status-Code && (&reply:REST-HTTP-Status-Code != 200)) { fail }
# Access token should be pre-base64 encoded by the server update control { &REST-HTTP-Header += "Authorization: Bearer %{control:Tmp-String-0}" }
# Issue request with new token rest
The map/json/rest xlat are all specific to v4 for, so you'd need to figure out how to do it on your own in v3. I'd recommend caching the token using the cache module once you have it.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
13 Ιουλ 2018, 00:57, ο χρήστης «Rohith Asrk <rohith.asrk@gmail.com>» έγραψε:
# Confused about this section. update control { &REST-HTTP-Header += "Authorization: Bearer token123" } rest }
I gather you need to call this somewhere in the authorize section (of the virtual server, not the module), before calling the rest module.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Rohith Asrk -
Zenon Mousmoulas