-
-
Notifications
You must be signed in to change notification settings - Fork 27
Non interactive session refresh
By default, openvpn-auth-oauth2 doesn't store user tokens.
This means users must log in interactively each time they authenticate, including during TLS soft-resets
(triggered by reneg-sec).
However, you can change this behavior by enabling the oauth2.refresh.enabled=true setting.
This allows openvpn-auth-oauth2 to store either the connection ID or SessionID (oauth2.refresh.use-session-id=true),
accepting connections without additional login checks.
When oauth2.refresh.validate-user=true is set, openvpn-auth-oauth2
requests a refresh token
during the initial connection and stores it.
The refresh tokens are stored in an in-memory key-value store and encrypted using AES. Each token is tied to either the OpenVPN client ID or OpenVPN session ID.
If a non-interactive login attempt with the refresh token fails against the OIDC provider, the system reverts to an interactive login process.
References:
- https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#refresh-the-access-token
- https://curity.io/resources/learn/oauth-refresh/
- https://developer.okta.com/docs/guides/refresh-tokens/main/
Here is the corrected version of your text:
If oauth2.refresh.validate-user is set to false, a refresh token is not requested and validated against the OIDC
provider.
openvpn-auth-oauth2 assumes the user is still valid and allows the user to connect without further validation.
Example: If the user opens a VPN connection and the user is deleted from the OIDC provider, the connection remains valid until the connection lifetime is reached. Restarting the OpenVPN server will invalidate the connection unless non-interactive session refresh across disconnects is configured.
To facilitate non-interactive session refresh across disconnects,
you must enable auth-token-gen [lifetime] external-auth on the OpenVPN server.
-
[lifetime]represents the duration of the token in seconds. Once generated, the token's lifetime cannot be extended. It must consider as maximum lifetime of an VPN session. For instance, setting the lifetime to 8 hours means the client will disconnect after 8 hours from the initial authentication and will need to re-authenticate. -
Setting the lifetime to 0 disables the lifetime check, which can be beneficial for mobile devices with unstable connections or during device sleep cycles.
If auth-gen-token-secret [keyfile] is configured, OpenVPN access server restarts can verify auth-tokens.
To generate a new secret, utilize openvpn --genkey auth-token [keyfile].
Note: Keep the keyfile secret as anyone with access to it can generate auth tokens that the OpenVPN server will recognize as valid. It's crucial to safeguard this file on the server.
References:
| env/sysconfig configuration |
CONFIG_OAUTH2_REFRESH_ENABLED=true
CONFIG_OAUTH2_REFRESH_EXPIRES=8h
CONFIG_OAUTH2_REFRESH_SECRET= # a static secret to encrypt token. Must be 16, 24 or 32
CONFIG_OAUTH2_REFRESH_USE__SESSION__ID=true
CONFIG_OPENVPN_AUTH__TOKEN__USER=true |
| yaml configuration |
oauth2:
refresh:
enabled: true
expires: 8h
secret: "..." # 16 or 24 characters
use-session-id: true
openvpn:
auth-token-user: true |
This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.