feat: Add user profile selector feature for client configuration (#707)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: jkroepke

Makefile

@@ -76,6 +76,7 @@ fmt:
 	@-go run github.com/catenacyber/perfsprint@v0.10.1 --fix ./...
 	@-go run github.com/tetafro/godot/cmd/godot@v1.4.20 -w .
 	@-go run github.com/4meepo/tagalign/cmd/tagalign@v1.4.3 -fix -sort ./...
+	@-go run github.com/t34-dev/go-field-alignment/v2/cmd/gofield@v2.0.10 --files . -fix
 	@-go run golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment@v0.41.0 -test=false -fix ./...
 	@-go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0 run ./...
 

docs/Client specific configuration.md

@@ -13,3 +13,163 @@ The feature must be enabled with `--openvpn.client-config.enabled`.
 
 openvpn-auth-oauth2 looks for a file
 named after the token claim or common name with `.conf` suffix in the client config directory.
+
+## Client Profile Selector
+
+The user profile selector feature allows users to choose their client configuration profile through a web UI after OAuth2 authentication. This is useful when:
+- Users need access to different VPN configurations (e.g., different network segments, access levels)
+- Profile assignments are determined by OAuth2 token claims (e.g., roles, groups, departments)
+- You want to provide a self-service experience for profile selection
+
+### Configuration Options
+
+#### Enable Profile Selector
+
+```bash
+--openvpn.client-config.user-selector.enabled
+```
+
+**Environment Variable:** `CONFIG_OPENVPN_CLIENT__CONFIG_USER__SELECTOR_ENABLED`
+
+**Default:** `false`
+
+When enabled, openvpn-auth-oauth2 will display a profile selection UI after successful OAuth2 authentication. Users can choose from available profiles before connecting to the VPN.
+
+Profile options are populated from:
+- Static values configured via `--openvpn.client-config.user-selector.static-values`
+- Token claim values from `--openvpn.client-config.token-claim` (if configured)
+
+**Note:** The profile selector only appears when there are 2 or more profiles available. If only one profile is available, it will be automatically selected without showing the UI.
+
+#### Static Profile Values
+
+```bash
+--openvpn.client-config.user-selector.static-values value1,value2,value3
+```
+
+**Environment Variable:** `CONFIG_OPENVPN_CLIENT__CONFIG_USER__SELECTOR_STATIC__VALUES`
+
+**Default:** (empty)
+
+A comma-separated list of static profile names that are always available in the profile selector UI. These profiles will be displayed as selectable options for all authenticated users, regardless of their token claims.
+
+**Example:**
+```bash
+--openvpn.client-config.user-selector.static-values corporate,guest,remote
+```
+
+This would show three profiles (corporate, guest, remote) to every user.
+
+
+### How It Works
+
+1. User completes OAuth2 authentication
+2. openvpn-auth-oauth2 extracts available profiles from:
+   - Static values (from `--openvpn.client-config.user-selector.static-values`)
+   - Token claim values (from `--openvpn.client-config.token-claim`, if configured
+   - supports both string and array values)
+3. Based on the number of profiles:
+   - **0 profiles:** Falls back to default behavior (uses username or token claim from `--openvpn.client-config.token-claim`)
+   - **1 profile:** Automatically selects that profile without showing UI
+   - **2+ profiles:** Displays profile selector UI to the user
+4. User selects a profile
+5. OpenVPN client configuration is applied based on the selected profile name
+
+### Profile Configuration Files
+
+After a profile is selected, openvpn-auth-oauth2 looks for a configuration file in the client config directory:
+
+```
+<client-config-path>/<selected-profile>.conf
+```
+
+For example, if a user selects the "corporate" profile, the file would be:
+```
+/path/to/client-config/corporate.conf
+```
+
+### Example Configurations
+
+#### Example 1: Static Profiles Only
+
+Allow all users to choose from three predefined profiles:
+
+```yaml
+openvpn:
+  client-config:
+    enabled: true
+    path: /etc/openvpn/client-config
+    user-selector:
+      enabled: true
+      static-values:
+        - full-access
+        - limited-access
+        - guest-access
+```
+
+Or via command line:
+```bash
+--openvpn.client-config.enabled \
+--openvpn.client-config.path=/etc/openvpn/client-config \
+--openvpn.client-config.user-selector.enabled \
+--openvpn.client-config.user-selector.static-values=full-access,limited-access,guest-access
+```
+
+#### Example 2: Dynamic Profiles from Token Claims
+
+Profiles are determined by the user's "groups" claim:
+
+```yaml
+openvpn:
+  client-config:
+    enabled: true
+    path: /etc/openvpn/client-config
+    token-claim: groups
+    user-selector:
+      enabled: true
+```
+
+If a user's ID token contains:
+```json
+{
+  "groups": ["engineering", "vpn-users"]
+}
+```
+
+They will see profiles "engineering" and "vpn-users" in the selector.
+
+#### Example 3: Combined Static and Dynamic Profiles
+
+Provide a "guest" profile to everyone, plus role-based profiles:
+
+```yaml
+openvpn:
+  client-config:
+    enabled: true
+    path: /etc/openvpn/client-config
+    token-claim: roles
+    user-selector:
+      enabled: true
+      static-values:
+        - guest
+```
+
+If a user has `"roles": ["admin", "developer"]` in their token, they will see three profiles:
+- guest (static)
+- admin (from token)
+- developer (from token)
+
+### Security Considerations
+
+- The profile selector validates that the selected profile is in the list of allowed profiles (from static values and/or token claims)
+- Invalid profile selections are rejected
+- All profile data is encrypted during transmission between the browser and server
+- Profile selection requires a valid OAuth2 authentication session
+
+### Interaction with Other Settings
+
+The user profile selector takes precedence over the `--openvpn.client-config.token-claim` setting when enabled. The flow is:
+
+1. If `user-selector.enabled` is true and multiple profiles are available → Show profile selector
+2. If `user-selector.enabled` is true and one profile is available → Use that profile automatically
+3. Otherwise → Fall back to standard behavior using `--openvpn.client-config.token-claim` if configured

docs/Configuration.md

@@ -42,6 +42,8 @@ Usage of openvpn-auth-oauth2:
     	listen addr for client listener (env: CONFIG_HTTP_LISTEN) (default ":9000")
   --http.secret value
     	Random generated secret for cookie encryption. Must be 16, 24 or 32 characters. If argument starts with file:// it reads the secret from a file. (env: CONFIG_HTTP_SECRET)
+  --http.short-url
+    	Enable short URL. The URL which is used for initial authentication will be reduced to /?s=... instead of /oauth2/start?state=... (env: CONFIG_HTTP_SHORT__URL)
   --http.template value
     	Path to a HTML file which is displayed at the end of the screen. See https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Layout-Customization for more information. (env: CONFIG_HTTP_TEMPLATE)
   --http.tls
@@ -76,12 +78,12 @@ Usage of openvpn-auth-oauth2:
     	oauth2 issuer (env: CONFIG_OAUTH2_ISSUER)
   --oauth2.nonce
     	If true, a nonce will be defined on the auth URL which is expected inside the token. (env: CONFIG_OAUTH2_NONCE) (default true)
-  --oauth2.refresh-nonce value
-    	Controls nonce behavior on refresh token requests. Options: auto (try with nonce, retry without on error), empty (always use empty nonce), equal (use same nonce as initial auth). (env: CONFIG_OAUTH2_REFRESH__NONCE) (default auto)
   --oauth2.pkce
     	If true, Proof Key for Code Exchange (PKCE) RFC 7636 is used for token exchange. (env: CONFIG_OAUTH2_PKCE) (default true)
   --oauth2.provider string
     	oauth2 provider (env: CONFIG_OAUTH2_PROVIDER) (default "generic")
+  --oauth2.refresh-nonce value
+    	Controls nonce behavior on refresh token requests. Options: auto (try with nonce, retry without on error), empty (always use empty nonce), equal (use same nonce as initial auth). (env: CONFIG_OAUTH2_REFRESH__NONCE) (default auto)
   --oauth2.refresh.enabled
     	If true, openvpn-auth-oauth2 stores refresh tokens and will use it do an non-interaction reauth. (env: CONFIG_OAUTH2_REFRESH_ENABLED)
   --oauth2.refresh.expires duration
@@ -124,6 +126,10 @@ Usage of openvpn-auth-oauth2:
     	Path to the CCD directory. openvpn-auth-oauth2 will look for an file with an .conf suffix and returns the content back. (env: CONFIG_OPENVPN_CLIENT__CONFIG_PATH)
   --openvpn.client-config.token-claim string
     	If non-empty, the value of the token claim is used to lookup the configuration file in the CCD directory. If empty, the common name is used. (env: CONFIG_OPENVPN_CLIENT__CONFIG_TOKEN__CLAIM)
+  --openvpn.client-config.user-selector.enabled
+    	If true, openvpn-auth-oauth2 will display a profile selection UI after OAuth2 authentication, allowing users to choose their client configuration profile. Profile options are populated from openvpn.client-config.user-selector.static-values and openvpn.client-config.token-claim (if configured). After selection, the chosen profile name is used to lookup the configuration file in the CCD directory. (env: CONFIG_OPENVPN_CLIENT__CONFIG_USER__SELECTOR_ENABLED)
+  --openvpn.client-config.user-selector.static-values value
+    	Comma-separated list of static profile names that are always available in the profile selector UI. These profiles will be displayed as selectable options for all users. (env: CONFIG_OPENVPN_CLIENT__CONFIG_USER__SELECTOR_STATIC__VALUES)
   --openvpn.common-name.environment-variable-name string
     	Name of the environment variable in the OpenVPN management interface which contains the common name. If username-as-common-name is enabled, this should be set to 'username' to use the username as common name. Other values like 'X509_0_emailAddress' are supported. See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#environmental-variables for more information. (env: CONFIG_OPENVPN_COMMON__NAME_ENVIRONMENT__VARIABLE__NAME) (default "common_name")
   --openvpn.common-name.mode value

docs/Layout Customization.md

@@ -12,14 +12,41 @@ Available variables:
 - `{{.title}}`: `Access denied` or `Access granted`
 - `{{.message}}`: Potential error message or success message
 - `{{.errorID}}`: ErrorID of an error, if present
+- `{{.clientConfigProfiles}}`: List of available profiles, used to render the profile selection screen.
+- `{{.token}}`: An encrypted token to identify the user session, used for profile selection.
 
 The [go template engine](https://pkg.go.dev/text/template) is used to render the HTML file.
 
+## Client Profile Selector
+
+If the [Client Profile Selector](Client%20specific%20configuration.md#client-profile-selector) is enabled and multiple
+profiles are available for the user, a profile selection screen is shown. The custom template must handle this case by itself.
+
+Minimal example to render the profile selector:
+
+```gotemplate
+{{- if .clientConfigProfiles }}
+<div class="profile-buttons">
+  <form method="POST" action="./profile-submit" class="profile-form">
+    <input type="hidden" name="token" value="{{ .token }}">
+    {{- range .clientConfigProfiles }}
+    <input class="profile-button" type="submit" name="profile" value="{{ . }}">
+    {{- end }}
+  </form>
+</div>
+{{- end }}
+```
+
+The default style uses CSS classes to style the profile selector:
+- `profile-buttons`: Container for the profile buttons
+- `profile-form`: Form containing the profile buttons
+- `profile-button`: Individual profile button
+
 ## Overriding the default assets
 
 To override the default assets, you can configure `http.assets-path` with the path to the directory containing the assets.
 
-The default assets are here:
+The default assets:
 
 - `style.css`: CSS file to enrich the default layout. By default, it is empty.
 - `mvp.css`: [MVP](https://github.com/andybrewer/mvp) CSS framework
@@ -28,6 +55,8 @@ The default assets are here:
 - `i18n/<lang>.json`: Language specific localization file. <lang> is the language code, e.g., `en` for English.
   See [de.json](https://github.com/jkroepke/openvpn-auth-oauth2/blob/main/internal/ui/static/i18n/de.json) for an example.
 
+Alternatively, you link additional assets via external locations inside your custom template.
+
 ## Custom localization
 
 If you want to provide custom localization, you have to configure `http.assets-path` first. In the assets directory,

internal/config/config_test.go

@@ -118,6 +118,10 @@ openvpn:
         enabled: true
         token-claim: sub
         path: "."
+        user-selector:
+            enabled: true
+            static-values:
+            - "default"
     common-name:
         environment-variable-name: X509_0_emailAddress
         mode: omit
@@ -192,6 +196,10 @@ http:
 
 							return dirFS
 						}(),
+						UserSelector: config.OpenVPNConfigProfileSelector{
+							Enabled:      true,
+							StaticValues: []string{"default"},
+						},
 					},
 					Password:           "1jd93h5b6s82lf03jh5b2hf9",
 					AuthTokenUser:      true,

internal/config/defaults.go

@@ -51,6 +51,10 @@ var Defaults = Config{
 		ClientConfig: OpenVPNConfig{
 			Enabled: false,
 			Path:    types.FS{FS: os.DirFS("/etc/openvpn-auth-oauth2/client-config-dir/")},
+			UserSelector: OpenVPNConfigProfileSelector{
+				Enabled:      false,
+				StaticValues: make(types.StringSlice, 0),
+			},
 		},
 		CommonName: OpenVPNCommonName{
 			EnvironmentVariableName: "common_name",

internal/config/flags.go

@@ -167,6 +167,21 @@ func (c *Config) flagSetOpenVPN(flagSet *flag.FlagSet) {
 		lookupEnvOrDefault("openvpn.client-config.token-claim", c.OpenVPN.ClientConfig.TokenClaim),
 		"If non-empty, the value of the token claim is used to lookup the configuration file in the CCD directory. If empty, the common name is used.",
 	)
+	flagSet.BoolVar(
+		&c.OpenVPN.ClientConfig.UserSelector.Enabled,
+		"openvpn.client-config.user-selector.enabled",
+		lookupEnvOrDefault("openvpn.client-config.user-selector.enabled", c.OpenVPN.ClientConfig.UserSelector.Enabled),
+		"If true, openvpn-auth-oauth2 will display a profile selection UI after OAuth2 authentication, allowing users to choose their client configuration profile. "+
+			"Profile options are populated from openvpn.client-config.user-selector.static-values and openvpn.client-config.token-claim (if configured). "+
+			"After selection, the chosen profile name is used to lookup the configuration file in the CCD directory.",
+	)
+	flagSet.TextVar(
+		&c.OpenVPN.ClientConfig.UserSelector.StaticValues,
+		"openvpn.client-config.user-selector.static-values",
+		lookupEnvOrDefault("openvpn.client-config.user-selector.static-values", c.OpenVPN.ClientConfig.UserSelector.StaticValues),
+		"Comma-separated list of static profile names that are always available in the profile selector UI. "+
+			"These profiles will be displayed as selectable options for all users.",
+	)
 	flagSet.StringVar(
 		&c.OpenVPN.CommonName.EnvironmentVariableName,
 		"openvpn.common-name.environment-variable-name",

internal/config/types.go

@@ -22,8 +22,8 @@ type Config struct {
 	HTTP       HTTP    `json:"http"    yaml:"http"`
 	Debug      Debug   `json:"debug"   yaml:"debug"`
 	Log        Log     `json:"log"     yaml:"log"`
-	OpenVPN    OpenVPN `json:"openvpn" yaml:"openvpn"`
 	OAuth2     OAuth2  `json:"oauth2"  yaml:"oauth2"`
+	OpenVPN    OpenVPN `json:"openvpn" yaml:"openvpn"`
 }
 
 type HTTP struct {
@@ -53,10 +53,10 @@ type Log struct {
 type OpenVPN struct {
 	Addr               types.URL          `json:"addr"                 yaml:"addr"`
 	Password           types.Secret       `json:"password"             yaml:"password"`
-	ClientConfig       OpenVPNConfig      `json:"client-config"        yaml:"client-config"`
 	Bypass             OpenVPNBypass      `json:"bypass"               yaml:"bypass"`
 	CommonName         OpenVPNCommonName  `json:"common-name"          yaml:"common-name"`
 	Passthrough        OpenVPNPassthrough `json:"pass-through"         yaml:"pass-through"`
+	ClientConfig       OpenVPNConfig      `json:"client-config"        yaml:"client-config"`
 	AuthPendingTimeout time.Duration      `json:"auth-pending-timeout" yaml:"auth-pending-timeout"`
 	CommandTimeout     time.Duration      `json:"command-timeout"      yaml:"command-timeout"`
 	AuthTokenUser      bool               `json:"auth-token-user"      yaml:"auth-token-user"`
@@ -68,9 +68,15 @@ type OpenVPNBypass struct {
 	CommonNames types.RegexpSlice `json:"common-names" yaml:"common-names"`
 }
 type OpenVPNConfig struct {
-	Path       types.FS `json:"path"        yaml:"path"`
-	TokenClaim string   `json:"token-claim" yaml:"token-claim"`
-	Enabled    bool     `json:"enabled"     yaml:"enabled"`
+	Path         types.FS                     `json:"path"          yaml:"path"`
+	TokenClaim   string                       `json:"token-claim"   yaml:"token-claim"`
+	UserSelector OpenVPNConfigProfileSelector `json:"user-selector" yaml:"user-selector"`
+	Enabled      bool                         `json:"enabled"       yaml:"enabled"`
+}
+
+type OpenVPNConfigProfileSelector struct {
+	StaticValues types.StringSlice `json:"static-values" yaml:"static-values"`
+	Enabled      bool              `json:"enabled"       yaml:"enabled"`
 }
 
 type OpenVPNCommonName struct {

internal/httphandler/handler.go

@@ -44,6 +44,7 @@ func New(conf config.Config, oAuth2Client *oauth2.Client) *http.ServeMux {
 	mux.Handle(fmt.Sprintf("GET %s/assets/", basePath), http.StripPrefix(basePath+"/assets/", http.FileServerFS(conf.HTTP.AssetPath)))
 	mux.Handle(fmt.Sprintf("GET %s/oauth2/start", basePath), noCacheHeaders(oAuth2Client.OAuth2Start()))
 	mux.Handle(fmt.Sprintf("GET %s/oauth2/callback", basePath), noCacheHeaders(oAuth2Client.OAuth2Callback()))
+	mux.Handle(fmt.Sprintf("POST %s/oauth2/profile-submit", basePath), noCacheHeaders(oAuth2Client.OAuth2ProfileSubmit()))
 
 	return mux
 }