-
-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Google consent screen always asking for permission grant (View Cloud Identity Groups) everytime we connect #277
Comments
Hi!
In that context, it wont matter. Only the OpenVPN server is authorized to disconnect the client. I guess, the OpenVPN default setting
It problem is a bit on Google side. A workaround would be You will also find some information here: https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Configuration#non-interactive-session-refresh |
Thanks for the help! We have set the reneg-sec to 12 hours. Regarding the consent screen, we have tried setting validate-user=false but we see no changes as we keep permissions being requested every time we log-in. We use certificate authentication, issued by local RSA and with common_name being the email of the Google side. I will keep playing with options, including entirely disabling the refreshes. |
Update: Seems we made a mistake when configuring the validate-user entry. I can confirm that, when correctly set, it works as you predicted:
Do you know what are the security implications of setting it to false? Thanks |
Sure. If set to false, openvpn-auth-oauth2 assume the user is still valid (e.g enabled, in correct groups) and continue the session. If a employee opens a VPN session and you disable the account after 3 hours, he is still able to access the VPN for 9 hours. If |
I think this is a minor drawback that compensates the improvement in the end-user experience. I guess it's just then a question of restarting the openvpn-auth-oauth2 service every time we deactive a user in the IDP, or somehow edit the token cache if it is file based. We will check whether the token cache is in memory or not, deactivate a test user, etc... to adjust that procedure. Thanks again for the support! |
it's in-memory ;-) Your are welcome. May ask myself how I could improve the documentation here that it's more understandable for the next one? |
Problem Statement
Hi.
We managed to get this working (thanks for the work!!), but we noticed we were automatically disconnected every 60 minutes.
Searching for this issue it seems 60 minutes is the default expiration for the Google access token.
Didn't find any way to increase it via the configuration, so we enabled the refresh tokens.
Now we don't seem to be disconnected (still didn't try to stay 8 hours connected, but now no certainly every hour) but unfortunately we are prompted to choose Google account and to confirm Group permissions every time we connect.
Found this related issue in Stack Overflow (https://stackoverflow.com/questions/10508557/why-does-google-oauth2-re-ask-user-for-permission-when-i-send-them-to-auth-url-a) and I think it is related.
They mention "The google-api puts "approval_prompt=force" by default when creating the auth url." and that this parameter is causing this behaviour.
Made a search on issues before posting the question, found nothing related, but I wonder why nobody has previously asked; so I guess (and pray) it is a config thing on our end.
Thanks
openvpn-auth-oauth2 logs
Environment
The text was updated successfully, but these errors were encountered: