~fkooman

Berlin

https://www.tuxed.net/

Trackers

~fkooman/php-oauth2-server

Last active 4 days ago

~fkooman/php-saml-sp

Last active a month ago

#43 create SVG graph on Stats page for connections/users 2 days ago

Comment by ~fkooman on ~eduvpn/server

Perhaps we can even use something like this: https://chartscss.org/

They do not (yet) support pie charts, but there are bar and line charts!

#131 implement OOB verification of accounts 3 days ago

v3.x added by ~fkooman on ~eduvpn/server

#131 implement OOB verification of accounts 3 days ago

Ticket created by ~fkooman on ~eduvpn/server

  • Make sure the account is still there;
  • Make sure the permissions are still up-to-date for VPN profile usage.

It should be easy to implement for LDAP, possible for OIDC and hard for SAML.

#130 uniform permission model 3 days ago

Comment by ~fkooman on ~eduvpn/server

An advantage of standardizing this is that there is no need to configure much in the portal. One would only have to indicate a "permissionAttribute", e.g. eduPersonEntitlement and the rest would be automatic.

One issue we saw already: in NL their SAML proxy can't handle URLs for filtering, only urn:X strings. They use the filtering to not send all permissions to all services, only a subset of them.

https://wiki.surfnet.nl/display/surfconextdev/Standardized+values+for+eduPersonEntitlement

#130 uniform permission model 3 days ago

contemplating added by ~fkooman on ~eduvpn/server

#130 uniform permission model 3 days ago

Ticket created by ~fkooman on ~eduvpn/server

Various aspects of the server could be a candidate for different configuration based on the user. For now, the only thing that is "externally" configurable, i.e. through the IdM, is access to particular profiles and to the admin interface.

In #88 we also ran into allowing the (VPN) session expiry to be based on such an external attribute.

Here we'll contemplate a mechanism by which to (uniformly) allow for configuration of various aspects on a particular user (permission). The following aspects seem candidates for such a treatment:

  1. Profile access (ACL);
  2. (Web) interface admin access;
  3. (VPN) Session expiry;
  4. Whether (and how many!) VPN profile configuration downloads are allowed;
  5. Whether (and how many!) active API VPN clients should be allowed;

In #88 we define attribute values for expiry, in PORTAL_ADMIN.md we define one for access to the admin interface.

Purpose (Example) Value(s)
Admin Access http://eduvpn.org/role/admin
Session Expiry http://eduvpn.org/expiry#P1Y
Profile Access http://eduvpn.org/profile#employees
Portal Config Download http://eduvpn.org/download#5
API Client http://eduvpn.org/api#1

#88 make sessionExpiry depend on user 3 days ago

Comment by ~fkooman on ~eduvpn/server

Notes: currently if 0 (or more than 1) permissions match the http://eduvpn.org/expiry# prefix, the default is used.

#88 make sessionExpiry depend on user 3 days ago

v3.x added by ~fkooman on ~eduvpn/server

#9 remove the "refreshTokenExpiry" 4 days ago

Comment by ~fkooman on ~fkooman/php-oauth2-server

#9 remove the "refreshTokenExpiry" 4 days ago

8.x added by ~fkooman on ~fkooman/php-oauth2-server