Bug 8262 - Web Access does not allow logging in with a long token as password
Summary: Web Access does not allow logging in with a long token as password
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-28 13:51 CET by William Sjöblom
Modified: 2024-06-05 11:27 CEST (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description William Sjöblom cendio 2023-11-28 13:51:05 CET 
More generally, there are PAM authentication modules that, instead of accepting an ordinary password, accept some kind of "token". This is often the case when using single sign-on mechanisms for authentication.

In the case of OpenID Connect and the PAM module pam_oidc (https://github.com/salesforce/pam_oidc), the "password" given to PAM is a JSON Web Token (JWT). The `id_token` JWTs provided by Google when using their OpenID Connect SSO mechanisms are around 1200 bytes long. `pamconversation.py` arbitrarily limits the password length to a little shy of 1024 bytes, which makes these authentication mechanisms non-usable.

When this arbitrary limit is hit, you are met with the following error message in Web Access:
> Internal error. If this problem persists, please contact your system administrator.
with the following being logged in `/var/log/tlwebaccess.log`:
> Error communicating with PAM subsystem for user 'wilsj': pamconv: received data exceeds limit
Comment 2 William Sjöblom cendio 2023-11-28 13:55:32 CET 
Fixing this would make it possible to add an OpenID Connect SSO authentication portal in front of Web Access without any further modifications to ThinLinc.
Note You need to log in before you can comment on or make changes to this bug.