Skip to content
/ radioauth Public

Radius server proxying OAuth/OpenID access providers

License

MIT license
19 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

holoplot/radioauth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

account

account

 
 

cmd/radioauth

cmd/radioauth

 
 

.gitignore

.gitignore

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

config-example.json

config-example.json

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

radioauth.service

radioauth.service

 
 

Repository files navigation

RadiOauth

RadiOauth is a Radius server that uses an OAuth/OpenID access provider to authenticate Radius clients. It can be used in organizations that have an OAuth/OpenID infrastructure such as Google SSO in order to allow their users access to VPN or WLAN services which facilitate Radius authentication.

To get access, users are supposed to visit the https-wrapped URL the http service in this project provides. The code in this project does not handle any TLS endpoints, so administrators are required to reverse-proxy the service in order to have an https endpoint. In case a user does not have a local account yet, they will be redirected to the OAuth provider to acknowledge the account link. Once that has succeeded, RadiOauth will create an internal account, assign a random password to it and prompt it to the user.

The Radius server will then authenticate users with both their password as well as by asking the OAuth provider whether the token is still valid.

Config file

The config file is provided in JSON format and its location is passed to the server using the -config flag.

Key Description
oauth_client_id The Client ID as provided by the OAuth provider
oauth_client_secret The Client Secret as provided by the OAuth provider
oauth_issuer A URL to the OAuth issuer
oauth_callback_url The URL used by the OAuth provider for authentication callbacks. Note that this URL must be white-listed in the settings of the OAuth provider
oauth_account_url A URL a user can click in order to remove the App from their account
account_store_path Used for file-backed account store, see below
redis_addresses Used for Redis-backed account store, see below
radius_secret A secret for the Radius server, shared with other services using it
http_port The HTTP port to listen on

Account store

Radioauth needs an account store for user authentication. There are currently two available implementations.

File-backed

Specify a path that is writeable by the user running the process as account_store_path in the config file. This will create files with JSON content when users are created, and read from these files when users are authentivated. It has no extra runtime dependencies.

Redis-backed

The Redis store can be enabled by specifing one or many Redis addresses as redis_addresses in the config file. When many are selected, a Redis cluster will be used. Account data is saved as JSON serialized strings, stored with the username as key.

Setup (Google)

To get started with Google as OAuth provider, first follow the instruction provided on Google's Identity Platform.

License

MIT

About

Radius server proxying OAuth/OpenID access providers

Topics

go oauth2 vpn openid-client radius-server unify

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

19 stars

Watchers

13 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages