# The naming scheme in non-Mandriva-based distros %if 0%{!?mkrel:1} %define mkrel(c) %{1}%{?dist} %endif %define commit a595e3c258a2eb08876fec37fe093bf1e101db4a %define date 20250505 Name: crudeoauth Version: 1.0.0 # No stable release yet Release: %mkrel 0.git%{date}.1 Summary: A SASL plugin and PAM implementation of OAUTHBEARER License: GPLv2 URL: https://github.com/univention/crudeoauth Source: https://github.com/univention/crudeoauth/archive/refs/heads/master.zip#/%{name}-%{commit}.zip BuildRequires: automake BuildRequires: autoconf BuildRequires: libtool BuildRequires: gawk BuildRequires: gcc-c++ BuildRequires: unzip BuildRequires: pkgconfig BuildRequires: pkgconfig(liborcania) BuildRequires: pkgconfig(librhonabwy) >= 1.1.1 BuildRequires: pkgconfig(libyder) BuildRequires: pkgconfig(libsasl2) BuildRequires: pkgconfig(pam) BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(gnutls) %description This is crudeoauth, a PAM and SASL plugin implementation of RFC 7628 OAUTHBEARER. The artifacts can be used * by user facing services: * to validate OAuth 2.0 access tokens using PAM * to perform SASL binds using the OAUTHBEARER mechanism, sending an OAuth 2.0 access token * by protected resources: * to accept SASL binds using the OUTHBEARER mechanism and validate OAuth 2.0 access tokens. In UCS the user facing service could be the Univention Management Console and the protected resource could be the OpenLDAP slapd. Configuration of the SASL plugin is done via a sasl.conf file (e.g. /etc/ldap/sasl2/slapd.conf in UCS/Debian). Configuration of the PAM is done via parameters of the library call in the PAM stack. The implementation has been tested with Keycloak 23.0.x. The PAM and SASL plugin check the aud claim as requested by RFC 9068. Keycloak 23 currently doesn't automatically put aud into the access token. The PAM and SASL plugin can additionally check the azp claim if configured accordingly. %package pam Summary: OAUTHBEARER plugin for PAM %description pam PAM module for OAuth authentication This package contains a PAM module that performs a crude check on a OAuth Access-Token. The JWT signature and date are verified, and access is granted on behalf to the user taken for configurable issuer and audiences. %package sasl Summary: OAUTHBEARER plugin for SASL2 %description sasl SASL plugin for OAUTHBEARER (RFC 7628) authentication This package contains a SASL plugin that performs a check on a OAuth Bearer Access-Token. The JWT signature and date are verified, and access is granted on behalf to the user taken for configurable issuer and audiences. %prep %autosetup -p1 -n %{name}-%{commit} cd src # How to create the configure script is undocumented but this seems to work. install -d m4 aclocal libtoolize -f autoupdate autoconf automake --add-missing %build cd src export CFLAGS="%{optflags} -Wno-implicit-function-declaration -Wno-int-conversion" %configure --with-pamlibdir=%{_libdir}/security %make_build %install cd src %make_install %files pam %doc debian/changelog %license debian/copyright %{_libdir}/security/ %{_mandir}/man?/pam_oauthbearer.* %files sasl %doc debian/changelog %license debian/copyright %{_libdir}/sasl2/ %{_mandir}/man?/sasl_oauthbearer.*