URL:
https://github.com/SSSD/sssd/pull/5762
Author: pbrezina
Title: #5762: krb5: add support for oauth2 challenge (wip)
Action: edited
Changed field: body
Original value:
"""
This depends on changes in multiple components that are not yet merged, therefore testing
is little bit difficult. There will be some final touch in `otp_parse_oauth2_challenge`
when we decide on the challenge format but the patches are ready to be reviewed.
## How to test
1. Install IPA server
2. On IPA server: install patched ipa, patched krb5, pyrad and mock-radius; create radius
proxy config and a test user (tuser name is required):
```console
$ dnf copr enable pbrezina/otp
$ dnf copr enable abbra/oauth2-support
$ dnf upgrade krb5-devel freeipa-server
$ kinit admin
$ echo Secret123 | ipa radiusproxy-add localhost --server=127.0.0.1 --secret
$ ipa user-add tuser --user-auth-type=radius --radius=localhost --first Test --last User
$ git clone
ttps://github.com/pbrezina/mock-radius.git
$ cd mock-radius
$ sudo pip3 install pyrad
$ sudo ./server.py
```
3. On client:
```
$ su tuser
Authenticate with PIN 381924 at
https://visit.me/oauth2 and press ENTER.
$ klist
Ticket cache: KEYRING:persistent:830600005:krb_ccache_1mToqfe
Default principal: tuser(a)IPA.VM
Valid starting Expires Service principal
08/26/2021 14:15:11 08/27/2021 14:15:10 krbtgt/IPA.VM(a)IPA.VM
renew until 09/02/2021 14:15:10
```
No real authentication is necessary, because `mock-radius` accepts everything. The URL is
obviously fake, so just hit enter.
"""