Bug 2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 [NEEDINFO]
Summary: [RFE] Add sssd internal krb5 plugin for authentication against external IdP v...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Scott Poore
Josip Vilicic
Whiteboard: sync-to-jira
Depends On: 2056482
TreeView+ depends on / blocked
Reported: 2022-02-21 10:48 UTC by Pavel Březina
Modified: 2023-03-13 15:07 UTC (History)
14 users (show)

Fixed In Version: sssd-2.7.0-2.el8
Doc Type: Technology Preview
Doc Text:
.SSSD internal krb5 idp plugin available as a Technology Preview The SSSD krb5 `idp` plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 8.7 and later.
Clone Of: 2056482
Last Closed: 2022-11-08 10:51:22 UTC
Type: Bug
Target Upstream Version:
lmanasko: needinfo? (jvilicic)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-112901 0 None None None 2022-02-21 11:00:22 UTC
Red Hat Issue Tracker SSSD-4347 0 None None None 2022-02-21 20:15:48 UTC
Red Hat Product Errata RHBA-2022:7739 0 None None None 2022-11-08 10:51:43 UTC

Description Pavel Březina 2022-02-21 10:48:40 UTC
+++ This bug was initially created as a clone of Bug #2056482 +++

This is a request to include sssd internal krb5 plugin that are currently under development in https://github.com/SSSD/sssd/pull/5762.

Comment 3 Alexey Tikhonov 2022-03-16 11:28:45 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5762

* `master`
    * 918d493c38138cf1008c7e117be4e416adae22f5 - pam: add oauth2 url+pin prompt
    * 95495e7b4f3111cfd4508025bca3d66c84f7cd87 - krb5: add keep alive timeout for krb5_child
    * 8cba6b4b40cda6b3d50b137ec9a566d16ea9e3c8 - krb5: fix memory hierarchy in krb5_child unpack_buffer()
    * dcd7133e1ce0791dab4a7ecfcd46c228c35c2bd9 - krb5: add support for idp:oauth2 responder question
    * 689bb4f8bfc6c434f2004bf2051777637f958b35 - krb5: exchange messages with krb5_child with exact length
    * 5f9e5c2e0365fd3debd48ab1fd96c77efffed05b - krb5: terminate child if it fails to setup
    * 3a2add67f897b78450291b7c41b32f18b42c17a2 - krb5: support to exchange multiple messages with the same child
    * 68a8a2d71b77fbc5e7a748307ac4164ebd8125f3 - krb5: add idp preauth plugins
    * 6731494204a623da79297047b108d133de377c97 - make: define RUNDIR
    * 8ca8fcf01d6854c739a090778bc1c3e0e3579e0c - conf: add libjansson dependency
    * 7d688556bfff7b508ce4982d4240a6e1d0bf31f4 - pam: add new SSS_PAM_OAUTH2_INFO pam item
    * 292bde667c8cf40eb13fd1593d9a968ab753338f - pam: add new SSS_CHILD_KEEP_ALIVE pam item
    * 709e9cc9a12853e3f243e6aac349c02d09b12acf - authtok: add SSS_AUTHTOK_TYPE_OAUTH2

Comment 4 Alexey Tikhonov 2022-04-01 15:13:36 UTC
Additional PR: https://github.com/SSSD/sssd/pull/6090

Comment 5 Alexey Tikhonov 2022-04-08 10:54:12 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/6090

* `master`
    * 74cb09ea21432e986034bbb2ee2b477644ac8ae3 - krb5: idp method is only supported if FAST channel is available
    * 63e6365cb18033114d21c6c263c4971552847481 - krb5: switch to Proxy-State in idp plugin reply
    * f853a868309fe11c591a103152c9191ea0432462 - krb5: switch to Proxy-State in idp plugin

Comment 12 errata-xmlrpc 2022-11-08 10:51:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.