gp-saml-gui icon indicating copy to clipboard operation
gp-saml-gui copied to clipboard

Published 20 hours ago verified publisher icon dlenski

RFE: spawn from openconnect itself

Open dwmw2 opened this issue 2 years ago • 2 comments

We duplicate a bunch of stuff that openconnect knows about the GP protocol, just as openconnect-sso duplicates a bunch of stuff about the AnyConnect protocol.

Now that the SAML support has been merged into OpenConnect upstream, it would be really nice to make the openconnect CLI capable of spawning a browser in a separate process. For AnyConnect we already have its 'external browser' mode but that's very different as the SAML flow actually terminates with a redirect to http://localhost:29786/... with the token. For the normal SAML flows we actually need a 'browser' that we can monitor and steal cookies from; we can't just launch the system browser (unless we make a nasty plugin and deal with the resulting security concerns),

So... can we make openconnect just spawn a variant of gp-saml-gui or openconnect-sso and get the cookie back from it? We already do something like that with TNCC for the DSPREAUTH cookie; instead of just unhelpfully printing No SSO handler, can we instead spawn something like $WEBVIEW_SCRIPT --url $SAML_URL --final-url $SAML_FINAL_URL --cookie $SAML_TOKEN_COOKIE ... and then get the answer back from its stdout like we do with TNCC?

dwmw2 avatar May 09 '22 09:05 dwmw2

https://gitlab.com/openconnect/openconnect/-/issues/425

dwmw2 avatar May 09 '22 09:05 dwmw2

https://gitlab.com/openconnect/openconnect/-/issues/425

Continuing discussion there, and locking this one to force others to do the same :sunglasses:

dlenski avatar May 10 '22 22:05 dlenski