Custom authentication driver

I’ve created a simple authentication driver as a proof of concept, but I’m having a hard time testing it.

According to documentation, driver expects input in XML format:


I tried using oneuser login command to test the driver, but I can’t figure out how to specify options to get the desired input. For my driver to work, I need to pass username and secret.

I tried using command like

oneuser my-user

then I get prompted for the password, but the authentication fails. According to driver log, it got only as input, so neither username nor password got passed to the driver.

What am I doing wrong? What is the right way to pass username and secret to the driver?

You can test it using comand like:
oneuser show --user [username] --password [password]

Or you can put the credentials to the ~/.one/one_auth file

Ensure you added your auth driver to oned.conf

    EXECUTABLE = "one_auth_mad",
    AUTHN = "ssh,x509,ldap,server_cipher,server_x509,custom"
DEFAULT_AUTH = "custom"

I tried the command you describe, but still getting the same. Running

oneuser show --user user1-tenant1 --password xxxx

In the auth driver, I log the input, and this is what I get:

time="2020-08-13T11:05:03+02:00" level=info msg="Running authentication"
time="2020-08-13T11:05:03+02:00" level=debug msg="<AUTHN>\n"

Driver expects XML input in the form described in the documentation, but looks like it only gets <AUTHN> tag followed by newline. It’s like username and password were never passed to driver. I would expect the driver to get input like:


BTW, driver is registered and user is set to use that driver:

I’m really lost here :slight_smile:

How do you process the STDIN in the custom driver? Can you share it here?

You were right, I messed STDIN processing :-). I expected it would come in as a single line, as shown in sample documentation. I fixed it, so it works both ways now. Thanks a lot for your help!

BTW, if anyone is interested, complete driver code is available here. It’s based on JWT instead of relying on user password.

It’s just a prototype/proof-of-concept thing, but could be useful to someone as starting point for another driver. It’s tested only with Keycloak as IDP and works only with RSA256 signing algorithm.Maybe it would work with any compatible OpenID IDP, but I’m not sure.

Anyway, thanks again for your help.