# The naming scheme in non-Mandriva-based distros %if 0%{!?mkrel:1} %define mkrel(c) %{1}%{?dist} %endif %if 0%{?mklibname:1} %define pampluginname %{mklibname pam_oauthbearer} %define saslpluginname %{mklibname sasl2-plug-oauthbearer} %else %define pampluginname pam_oauthbearer %define saslpluginname cyrus-sasl-oauthbearer %endif %define commit a595e3c258a2eb08876fec37fe093bf1e101db4a %define date 20250505 Name: crudeoauth Version: 1.0.0 # No stable release yet Release: %mkrel 0.git%{date}.6 Summary: A SASL plugin and PAM implementation of OAUTHBEARER License: GPLv2 URL: https://github.com/univention/crudeoauth Source0: https://github.com/univention/crudeoauth/archive/refs/heads/master.zip#/%{name}-%{commit}.zip Patch0: crudeoauth-modern-build.diff BuildRequires: automake BuildRequires: autoconf >= 2.63 BuildRequires: libtool >= 1.9b BuildRequires: gawk BuildRequires: gcc-c++ BuildRequires: unzip BuildRequires: pkgconfig BuildRequires: pkgconfig(liborcania) BuildRequires: pkgconfig(librhonabwy) >= 1.1.2 BuildRequires: pkgconfig(libyder) BuildRequires: pkgconfig(libsasl2) >= 2.1 BuildRequires: (pkgconfig(pam) or pam-devel or libpam-devel) BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(gnutls) BuildRequires: pkgconfig(nettle) %description This is crudeoauth, a PAM and SASL plugin implementation of RFC 7628 OAUTHBEARER. The artifacts can be used * by user facing services: * to validate OAuth 2.0 access tokens using PAM * to perform SASL binds using the OAUTHBEARER mechanism, sending an OAuth 2.0 access token * by protected resources: * to accept SASL binds using the OUTHBEARER mechanism and validate OAuth 2.0 access tokens. In UCS the user facing service could be the Univention Management Console and the protected resource could be the OpenLDAP slapd. Configuration of the SASL plugin is done via a sasl.conf file (e.g. /etc/ldap/sasl2/slapd.conf in UCS/Debian). Configuration of the PAM is done via parameters of the library call in the PAM stack. The implementation has been tested with Keycloak 23.0.x. The PAM and SASL plugin check the aud claim as requested by RFC 9068. Keycloak 23 currently doesn't automatically put aud into the access token. The PAM and SASL plugin can additionally check the azp claim if configured accordingly. %package -n %pampluginname Summary: OAUTHBEARER plugin for PAM # Old name: Obsoletes: %{name}-pam < %{version}-%{release} Provides: %{name}-pam = %{version}-%{release} %description -n %pampluginname PAM module for OAuth authentication. This package contains a PAM module that performs a crude check on an OAuth Access-Token. The JWT signature and date are verified, and access is granted on behalf to the user taken for configurable issuer and audiences. %package -n %saslpluginname Summary: OAUTHBEARER plugin for SASL2 # Old name: Obsoletes: %{name}-sasl < %{version}-%{release} Provides: %{name}-sasl = %{version}-%{release} # Consistent cross-distro name: Provides: sasl-oauthbearer = %{version}-%{release} %description -n %saslpluginname SASL plugin for OAUTHBEARER (RFC 7628) authentication. This package contains a SASL plugin that performs a check on an OAuth Bearer Access-Token. The JWT signature and date are verified, and access is granted on behalf to the user taken for configurable issuer and audiences. %prep %autosetup -p1 -n %{name}-%{commit} cd src autoreconf --install --force %build cd src %global pamlibdir %(pkg-config --variable=libdir pam) %global sasllibdir %(pkg-config --variable=libdir libsasl2) %configure --with-pamlibdir=%{pamlibdir}/security --with-sasllibdir=%{sasllibdir}/sasl2 %make_build %install cd src %make_install %files -n %pampluginname %doc debian/changelog %license debian/copyright %{pamlibdir}/security/ %{_mandir}/man?/pam_oauthbearer.* %files -n %saslpluginname %doc debian/changelog %license debian/copyright %{sasllibdir}/sasl2/ %{_mandir}/man?/sasl_oauthbearer.*