Hi there Is it possible to have a certificate put in place on a public wifi network that will also give an option for email registration? So far I have yet to find anything about that. Currently community members and staff who want to connect to the Open/Public network use our portal page that gives two options (their user account (if any) or their private email address. Is there a way to make it more secure and include a certificate? Thanks and have a great day 😊
From: leonardo.izzo--- via PacketFence-users <[email protected]> Sent: May 20, 2022 9:00 AM To: [email protected] Cc: [email protected] Subject: [PacketFence-users] R: Google Oauth2 captive portal CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. hello Diego and thanks for the reply. Leaving aside the discussion on mobile devices, and restricting the scenario for simplicity to a laptop of a guest who is connected to a wifi network and must authenticate on the Internet. Our client asks that the guest who launches the browser (eg Chrome) from his laptop must come up with a captive portal where he is asked to enter his Google credentials to authenticate and register his laptop and then be able to surf the Internet. Now let's see if I understand correctly: the Packetfence machine implemented locally at the customer must be reached from the internet using the url: https: // your_portal_hostname / oauth2 / callback where is your_portal_hostname is a dns record that allows you to reach the Packetfence machine itself from the Internet. So the customer must have a right internet domain? Also I understand that it must also have a valid https certificate, is that so? Da: Diego Garcia del Rio via PacketFence-users <[email protected]<mailto:[email protected]>> Inviato: giovedì 19 maggio 2022 21:36 A: packetfence-users <[email protected]<mailto:[email protected]>> Cc: Diego Garcia del Rio <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Oggetto: Re: [PacketFence-users] Google Oauth2 captive portal If you're trying this from a mobile phone (captive portal browser) then yes, it will be blocked as google is blocking all embedded browsers and any "not-full browsers". It means google authentication can't really be used from mobile devices when accessed throguh the captive portal. also, your authorized redirect seems wrong. You need to provide a proper, REAL HTTPS (with valid certificate) url / server name. NOT "pf.packetfence.org/oauth2/callback<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpf.packetfence.org%2Foauth2%2Fcallback&data=05%7C01%7Cblake.crossley%40keyano.ca%7Ce786426259e1461e98a608da3a7c869e%7C784918e810f44fc1a424180960cea6e4%7C1%7C0%7C637886603790034868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T24EPbZ9MdBKrHFAEH%2F0E6asRtiF3%2B0p1%2F03bticZ5U%3D&reserved=0>" you need a proper domain name / proper server name. On Thu, May 19, 2022 at 10:40 AM leonardo.izzo--- via PacketFence-users <[email protected]<mailto:[email protected]>> wrote: hi, could you please answer? Thanks Da: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Inviato: domenica 15 maggio 2022 15:39 A: '[email protected]<mailto:[email protected]>' <[email protected]<mailto:[email protected]>>; '[email protected]<mailto:[email protected]>' <[email protected]<mailto:[email protected]>> Oggetto: Google Oauth2 captive portal hi, i configured pf for a captive portal with OAuth2 using google. I followed the instructions in the guide on what to do on http://code.google.com/apis/console<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcode.google.com%2Fapis%2Fconsole&data=05%7C01%7Cblake.crossley%40keyano.ca%7Ce786426259e1461e98a608da3a7c869e%7C784918e810f44fc1a424180960cea6e4%7C1%7C0%7C637886603790034868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=27hIBE0Q6n%2BUBH%2BqmFVIDhnNZto3SgLIT91F6ZME3Zo%3D&reserved=0>: 1) I created a project 2) I went to "OAuth consent screen" and configured it \ I chose External and then Create \ I gave a name and email, then I went on without entering anything 3) I went to Credentials \ Create credentials \ I chose "OAuth client ID" \ and then as application type "Web Application" and I gave the name pf 4) I went under "Authorized redirect URI" \ Add URI \ and I entered the string https://pf.packetfence.org/oauth2/callback<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpf.packetfence.org%2Foauth2%2Fcallback&data=05%7C01%7Cblake.crossley%40keyano.ca%7Ce786426259e1461e98a608da3a7c869e%7C784918e810f44fc1a424180960cea6e4%7C1%7C0%7C637886603790034868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yn2QHEE1rWYfrXVSR7wrpalDMUh4BZFuRl2k2yq8%2B4k%3D&reserved=0> as in my Packetfence console in Configuration \ System Configuration \ General Configuration I have pf Domain = packetfence.org<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpacketfence.org%2F&data=05%7C01%7Cblake.crossley%40keyano.ca%7Ce786426259e1461e98a608da3a7c869e%7C784918e810f44fc1a424180960cea6e4%7C1%7C0%7C637886603790034868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FnDGC5Y25eug1%2Bx9DVz4AT0gJH0R1bs60vZwj7mgxbI%3D&reserved=0> and Hostname = pf 5) I have saved the "client ID" and the "client secret" 6) I went to the OAuth consent screen \ modify App \ authorized domains and entered: google.com<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cblake.crossley%40keyano.ca%7Ce786426259e1461e98a608da3a7c869e%7C784918e810f44fc1a424180960cea6e4%7C1%7C0%7C637886603790034868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h47ftHsIj327WOlXmsavKd5A6ujBJOEKKq7EIrQGuyU%3D&reserved=0>, google.it<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.it%2F&data=05%7C01%7Cblake.crossley%40keyano.ca%7Ce786426259e1461e98a608da3a7c869e%7C784918e810f44fc1a424180960cea6e4%7C1%7C0%7C637886603790034868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=S6yoj2h1Znz7UJXMzneQhKk8avBdVSeaXGLSej1eb7A%3D&reserved=0>, etc. 7) I went to OAuth Consent Screen \ Publish App I then created a Google-type external authentication source by entering the data created in the previous point. I then created a connection profile containing this source. When I try to connect from a device, I get the following error: Authorization error Error 400: invalid_request You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure. You can let the app developer know that this app doesn't comply with one or more Google validation rules. Find out more Request details The content in this section was provided by the app developer and has not been reviewed or verified by Google. If you developed the app, make sure these request details comply with Google's policies. redirect_uri: https: // <hostname> / oauth2 / callback Thanks _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=05%7C01%7Cblake.crossley%40keyano.ca%7Ce786426259e1461e98a608da3a7c869e%7C784918e810f44fc1a424180960cea6e4%7C1%7C0%7C637886603790034868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IC%2F%2Bgs3zp4Vbfqh47HgwaD4N8YgcfIxhZvrM1jvWI3I%3D&reserved=0>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
