logmein Authentication
logmein redirects users to an HTTPS website to perform mutual SSL (mTLS) authentication.
---
config:
mirrorActors: false
look: handDrawn
title: implicit with mutual authentication
---
sequenceDiagram
actor user as user
participant secure as secure
participant pyos as pyos
user ->> pyos: implicit auth
pyos ->> user: go to secure for that
user ->> secure: hello
secure ->> user: who comes there ?
Note left of user: I have my certificat
user ->> secure: certificat
secure ->> secure: certificat check
secure ->> pyos: user with certificat wants to login
pyos ->> pyos: security check
Note right of pyos: Where the http request comes from ?
Note right of pyos: What is this certificat ?
pyos ->> user: user JWT
user ->> pyos: create desktop ( user JWT )
pyos ->> user: desktop JWT
In the typical flow, the user is redirected to an HTTPS service and authenticated using their X.509 certificate. The certificate is then forwarded via an HTTP header to pyos, which performs security checks and issues a user JWT to the client.
logmeinis animplicitprovider.
The user is redirected to dialog_url. For example, https://secure.your_domain.com/protectedbyssl.
The implicit provider configuration looks like this:
'implicit': {
'providers' : {
'sslclient' : {
'displayname': 'Logmein protected by SSL',
'icon': 'img/auth/sslclient_icon.svg',
'textcolor': '#000000',
'backgroundcolor': '#FFFFFF',
'enabled': True,
'dialog_url' : 'https://secure.your_domain.com/protectedbyssl',
'auth_protocol' : { 'localaccount': True }
}
}
}
Mutual SSL authentication is performed at dialog_url: https://secure.your_domain.com/protectedbyssl. If the SSL client certificate is successfully verified, the user is proxy-passed from https://secure.your_domain.com/protectedbyssl to $my_node/API/auth/logmein?provider=sslclient.
location /protectedbyssl {
if ($ssl_client_verify != SUCCESS) {return 403 $ssl_client_verify;}
proxy_set_header AbcdesktopUserCert $ssl_client_escaped_cert;
proxy_pass $my_node/API/auth/logmein?provider=sslclient;
}
The server requests the client's certificate in a
CertificateRequestmessage, enabling mutual TLS authentication.
logmein Endpoint Configuration
The API/auth/logmein endpoint performs security checks to verify that the request originates from an authorized network defined in network_list. When configured, it also validates the required HTTP header name and its value. It reads the X.509 certificate to extract the user ID and then performs implicit authentication for that user.
auth.logmein : {
'enable' : True,
'network_list' : ['0.0.0.0/0'],
'permit_querystring' : False,
'http_attribut' : 'ABCDESKTOPUSERCERT' }
| Variable name | Type | Description |
|---|---|---|
enable |
boolean | Enables or disables the logmein feature. The default value is False. |
network_list |
list | List of subnets authorized to query the logmein endpoint. |
permit_querystring |
boolean | Allows passing the userid as a query string parameter. The default value is False. |
oid_list |
list | List of OID strings used to read the user ID from the X.509 certificate. The default values are [ cryptography.x509.oid.NameOID.USER_ID, cryptography.x509.oid.NameOID.COMMON_NAME ]. |
http_attribut |
string | (Optional) Name of the HTTP header. If set, the value of this header must be a PEM-encoded X.509 certificate. |
The oid_list entries are resolved from OID dotted-string notation to ObjectIdentifier objects. For example, [ cryptography.x509.oid.NameOID.USER_ID, cryptography.x509.oid.NameOID.COMMON_NAME ] becomes [ '0.9.2342.19200300.100.1.1', '2.5.4.3' ].
nginx Configuration with Mutual Authentication
- nginx reverse proxy sample:
server {
listen 443;
server_name secure.your_domain.com;
root /usr/share/nginx/www;
index index.html index.htm;
resolver a.b.c.d; # if need
ssl on;
ssl_certificate /etc/letsencrypt/live/secure.your_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/secure.your_domain.com/privkey.pem;
# where should you go ?
# to your abcdesktop web site to call /API/auth/logmein endpoint
set $my_node http://abcdesktop_url:30443;
# client certificate
ssl_client_certificate /etc/nginx/ca/ca-cert.pem;
# make verification optional, so we can display a 403 message to those
# who fail authentication
# ssl_verify_client optional;
ssl_verify_depth 2;
ssl_verify_client on;
location /protectedbyssl {
if ($ssl_client_verify != SUCCESS) {return 403 $ssl_client_verify;}
proxy_set_header AbcdesktopUserCert $ssl_client_escaped_cert;
proxy_pass $my_node/API/auth/logmein?provider=sslclient;
}
od.config file
auth.logmein : {
'enable' : True,
'network_list' : ['0.0.0.0/0'],
'permit_querystring' : False,
'http_attribut' : 'ABCDESKTOPUSERCERT' }
authmanagers: {
'implicit': {
'providers' : {
'sslclient' : {
'displayname': 'Logmein protected by SSL',
'icon': 'img/auth/sslclient_icon.svg',
'textcolor': '#000000',
'backgroundcolor': '#FFFFFF',
'enabled': True,
'dialog_url' : 'https://secure.your_domain.com/protectedbyssl',
'auth_protocol' : { 'localaccount': True }
} } } }