* git smart http + apache mod_auth_openidc @ 2019-10-15 15:59 Ralph Ewig 2019-10-16 23:33 ` brian m. carlson 0 siblings, 1 reply; 8+ messages in thread From: Ralph Ewig @ 2019-10-15 15:59 UTC (permalink / raw) To: git Hi Everyone, hoping you might have a solution for this problem: CONTEXT * I'm serving git repos using "smart https" via apache and basic authentication; everything works fine. * We're moving to SSO via Azure AD and apache mod_auth_openidc; this works fine for gitweb (on the same server as git). PROBLEM When trying to clone a repo with the OIDC setup, git breaks on the redirect for user authentication with the following error message (replaced server ids etc with xxx): C:\Users\void>git clone --progress -v "https://git.xxx.xxx/WebApps.git" Cloning into 'WebApps'... fatal: unable to update url base from redirection: asked for: https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack redirect: https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx Can the git client just not handle a web based redirect for login, or is this a configuration issue? Any ideas would be greatly appreciated. Thanks! Ralph ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: git smart http + apache mod_auth_openidc 2019-10-15 15:59 git smart http + apache mod_auth_openidc Ralph Ewig @ 2019-10-16 23:33 ` brian m. carlson 2019-10-17 3:00 ` Ralph Ewig 0 siblings, 1 reply; 8+ messages in thread From: brian m. carlson @ 2019-10-16 23:33 UTC (permalink / raw) To: Ralph Ewig; +Cc: git [-- Attachment #1: Type: text/plain, Size: 2168 bytes --] On 2019-10-15 at 15:59:03, Ralph Ewig wrote: > Hi Everyone, hoping you might have a solution for > this problem: > > CONTEXT > > * I'm serving git repos using "smart https" via > apache and basic authentication; everything works > fine. > * We're moving to SSO via Azure AD and apache > mod_auth_openidc; this works fine for gitweb (on > the same server as git). > > PROBLEM > > When trying to clone a repo with the OIDC setup, > git breaks on the redirect for user authentication > with the following error message (replaced server > ids etc with xxx): > > C:\Users\void>git clone --progress -v > "https://git.xxx.xxx/WebApps.git" > Cloning into 'WebApps'... > fatal: unable to update url base from > redirection: > asked for: > https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack > redirect: > https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx > > > Can the git client just not handle a web based > redirect for login, or is this a configuration > issue? Any ideas would be greatly appreciated. Thanks! The Git client doesn't handle any sort of web-based login. In general, in order to do web-based login, you have to provide a fully functional graphical web browser, and Git operates in many environments that don't have one (such as servers, containers, and headless systems). You should treat your Git server like you would treat any API you may access, since essentially it is one. That means that you would need to provide a way to use some sort of external credential. I know next to nothing about Azure AD, but it claims to support Kerberos, so you may be able to use that in conjunction with libcurl's GSS-Negotiate support and Apache's mod_auth_kerb (which is shipped in Debian). I use Kerberos-based authentication for my personal server (which is Linux, not AD) and it does work, so it is possible to set up. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 868 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: git smart http + apache mod_auth_openidc 2019-10-16 23:33 ` brian m. carlson @ 2019-10-17 3:00 ` Ralph Ewig 2019-10-17 6:03 ` Jeff King 0 siblings, 1 reply; 8+ messages in thread From: Ralph Ewig @ 2019-10-17 3:00 UTC (permalink / raw) To: brian m. carlson, git Thanks for the reply. I was hoping the Git GUI might be able to handle the OpenID authentication flow, but it makes sense that it would be inconsistent with other git clients. Azure AD does support both LDAP and Kerberos, but unfortunately only as an extra cost add-on called "Domain Services". I might try to hack up a script to just sync the Azure AD password hashes to the htpassword file. Otherwise I guess I'll have to bite the bullet and pay the extra bill. Nonetheless, thank you for the suggestion! Ralph On 10/16/2019 4:33 PM, brian m. carlson wrote: > On 2019-10-15 at 15:59:03, Ralph Ewig wrote: >> Hi Everyone, hoping you might have a solution for >> this problem: >> >> CONTEXT >> >> * I'm serving git repos using "smart https" via >> apache and basic authentication; everything works >> fine. >> * We're moving to SSO via Azure AD and apache >> mod_auth_openidc; this works fine for gitweb (on >> the same server as git). >> >> PROBLEM >> >> When trying to clone a repo with the OIDC setup, >> git breaks on the redirect for user authentication >> with the following error message (replaced server >> ids etc with xxx): >> >> C:\Users\void>git clone --progress -v >> "https://git.xxx.xxx/WebApps.git" >> Cloning into 'WebApps'... >> fatal: unable to update url base from >> redirection: >> asked for: >> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack >> redirect: >> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx >> >> >> Can the git client just not handle a web based >> redirect for login, or is this a configuration >> issue? Any ideas would be greatly appreciated. Thanks! > The Git client doesn't handle any sort of web-based login. In general, > in order to do web-based login, you have to provide a fully functional > graphical web browser, and Git operates in many environments that don't > have one (such as servers, containers, and headless systems). > > You should treat your Git server like you would treat any API you may > access, since essentially it is one. That means that you would need to > provide a way to use some sort of external credential. > > I know next to nothing about Azure AD, but it claims to support > Kerberos, so you may be able to use that in conjunction with libcurl's > GSS-Negotiate support and Apache's mod_auth_kerb (which is shipped in > Debian). I use Kerberos-based authentication for my personal server > (which is Linux, not AD) and it does work, so it is possible to set up. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: git smart http + apache mod_auth_openidc 2019-10-17 3:00 ` Ralph Ewig @ 2019-10-17 6:03 ` Jeff King 2019-10-17 14:21 ` Ralph Ewig 2019-10-17 14:33 ` Ralph Ewig 0 siblings, 2 replies; 8+ messages in thread From: Jeff King @ 2019-10-17 6:03 UTC (permalink / raw) To: Ralph Ewig; +Cc: brian m. carlson, git On Thu, Oct 17, 2019 at 03:00:58AM +0000, Ralph Ewig wrote: > Thanks for the reply. I was hoping the Git GUI > might be able to handle the OpenID authentication > flow, but it makes sense that it would be > inconsistent with other git clients. I don't think we'd ever do the full flow, but it might be that it's possible to use a token generated by the flow in a separate browser session. This is easy to do if you can provide the token to the server in place of a password. E.g., if you use 2FA on GitHub, you can generate a limited token that allows you to connect for Git operations. You can also use time-limited tokens and feed them from a custom credential helper, which does the full authentication flow from a web browser. I think Google does (or did) have such a thing internally, but I don't think any part of it was made public (it was discussed on the list a couple times in the early days of credential helpers). That would still have to end up with a token "password" to send over basic auth, I think. There was some discussion a while back of letting credential helpers pass back content for HTTP "Authorization" headers, but I don't think anything was ever merged. > >> C:\Users\void>git clone --progress -v > >> "https://git.xxx.xxx/WebApps.git" > >> Cloning into 'WebApps'... > >> fatal: unable to update url base from > >> redirection: > >> asked for: > >> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack > >> redirect: > >> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx You're running into one other complexity here, which is that we don't allow cross-server redirects during the initial conversation. So even if you did have an auth flow where we could somehow provide all the information via Git, we'd still be unhappy about bouncing between multiple servers. Mostly that's there to avoid leaking credentials. We only have one notion of "the username and password we're using" for a given fetch, so we want to avoid leaking it if we're redirected to another server. But obviously Git _could_ be smarter there, if this was the only blocker remaining (but from my understanding of OpenID, it's not). -Peff ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: git smart http + apache mod_auth_openidc 2019-10-17 6:03 ` Jeff King @ 2019-10-17 14:21 ` Ralph Ewig 2019-10-17 14:33 ` Ralph Ewig 1 sibling, 0 replies; 8+ messages in thread From: Ralph Ewig @ 2019-10-17 14:21 UTC (permalink / raw) To: Jeff King; +Cc: brian m. carlson, git Interesting ... I have not looked at access tokens before, but did find some documentation online that describes how Azure AD Jason Web Tokens can be used to authenticate a headless API (https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens), This seems to be a fit in this scenario, but is admittedly a bit deeper into the weeds than I'm familiar with. I'll keep digging in to see if I can find a solution along that route. Really appreciate the pointer! Ralph On 10/16/2019 11:03 PM, Jeff King wrote: > On Thu, Oct 17, 2019 at 03:00:58AM +0000, Ralph Ewig wrote: > >> Thanks for the reply. I was hoping the Git GUI >> might be able to handle the OpenID authentication >> flow, but it makes sense that it would be >> inconsistent with other git clients. > I don't think we'd ever do the full flow, but it might be that it's > possible to use a token generated by the flow in a separate browser > session. This is easy to do if you can provide the token to the server > in place of a password. E.g., if you use 2FA on GitHub, you can generate > a limited token that allows you to connect for Git operations. > > You can also use time-limited tokens and feed them from a custom > credential helper, which does the full authentication flow from a web > browser. I think Google does (or did) have such a thing internally, but > I don't think any part of it was made public (it was discussed on the > list a couple times in the early days of credential helpers). > > That would still have to end up with a token "password" to send over > basic auth, I think. There was some discussion a while back of letting > credential helpers pass back content for HTTP "Authorization" headers, > but I don't think anything was ever merged. > >>>> C:\Users\void>git clone --progress -v >>>> "https://git.xxx.xxx/WebApps.git" >>>> Cloning into 'WebApps'... >>>> fatal: unable to update url base from >>>> redirection: >>>> asked for: >>>> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack >>>> redirect: >>>> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx > You're running into one other complexity here, which is that we don't > allow cross-server redirects during the initial conversation. So even if > you did have an auth flow where we could somehow provide all the > information via Git, we'd still be unhappy about bouncing between > multiple servers. > > Mostly that's there to avoid leaking credentials. We only have one > notion of "the username and password we're using" for a given fetch, so > we want to avoid leaking it if we're redirected to another server. But > obviously Git _could_ be smarter there, if this was the only blocker > remaining (but from my understanding of OpenID, it's not). > > -Peff ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: git smart http + apache mod_auth_openidc 2019-10-17 6:03 ` Jeff King 2019-10-17 14:21 ` Ralph Ewig @ 2019-10-17 14:33 ` Ralph Ewig 2019-10-17 22:55 ` brian m. carlson 1 sibling, 1 reply; 8+ messages in thread From: Ralph Ewig @ 2019-10-17 14:33 UTC (permalink / raw) To: Jeff King; +Cc: brian m. carlson, git Quick follow up question: can the git client pass a token read from a cookie with a request? That would enable users to sign-in via a browser, store the cookie, and then use that as the access token to authenticate a git request. On 10/16/2019 11:03 PM, Jeff King wrote: > On Thu, Oct 17, 2019 at 03:00:58AM +0000, Ralph Ewig wrote: > >> Thanks for the reply. I was hoping the Git GUI >> might be able to handle the OpenID authentication >> flow, but it makes sense that it would be >> inconsistent with other git clients. > I don't think we'd ever do the full flow, but it might be that it's > possible to use a token generated by the flow in a separate browser > session. This is easy to do if you can provide the token to the server > in place of a password. E.g., if you use 2FA on GitHub, you can generate > a limited token that allows you to connect for Git operations. > > You can also use time-limited tokens and feed them from a custom > credential helper, which does the full authentication flow from a web > browser. I think Google does (or did) have such a thing internally, but > I don't think any part of it was made public (it was discussed on the > list a couple times in the early days of credential helpers). > > That would still have to end up with a token "password" to send over > basic auth, I think. There was some discussion a while back of letting > credential helpers pass back content for HTTP "Authorization" headers, > but I don't think anything was ever merged. > >>>> C:\Users\void>git clone --progress -v >>>> "https://git.xxx.xxx/WebApps.git" >>>> Cloning into 'WebApps'... >>>> fatal: unable to update url base from >>>> redirection: >>>> asked for: >>>> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack >>>> redirect: >>>> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx > You're running into one other complexity here, which is that we don't > allow cross-server redirects during the initial conversation. So even if > you did have an auth flow where we could somehow provide all the > information via Git, we'd still be unhappy about bouncing between > multiple servers. > > Mostly that's there to avoid leaking credentials. We only have one > notion of "the username and password we're using" for a given fetch, so > we want to avoid leaking it if we're redirected to another server. But > obviously Git _could_ be smarter there, if this was the only blocker > remaining (but from my understanding of OpenID, it's not). > > -Peff ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: git smart http + apache mod_auth_openidc 2019-10-17 14:33 ` Ralph Ewig @ 2019-10-17 22:55 ` brian m. carlson 2019-10-18 1:18 ` Ralph Ewig 0 siblings, 1 reply; 8+ messages in thread From: brian m. carlson @ 2019-10-17 22:55 UTC (permalink / raw) To: Ralph Ewig; +Cc: Jeff King, git [-- Attachment #1: Type: text/plain, Size: 1167 bytes --] On 2019-10-17 at 14:33:38, Ralph Ewig wrote: > Quick follow up question: can the git client pass > a token read from a cookie with a request? That > would enable users to sign-in via a browser, store > the cookie, and then use that as the access token > to authenticate a git request. Git has an option, http.cookieFile, that can read a cookie from a file, yes. That does, of course, require that you're able to put the cookie in a file from a web browser. I'm not aware of any web browsers that easily provide an option to dump cookies into a file. Also, just as a note, this approach definitely won't work for automated systems you have, such as CI systems. That's why I suggested Kerberos: because you can have services that have principals and you can use those credentials in your CI systems to access code and run jobs. Clearly you know your infrastructure and users better than I do, but I don't recommend having a web-based sign-on as your only form of authentication for a Git server. It's going to cause a lot of pain and inconvenience on all sides. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 868 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: git smart http + apache mod_auth_openidc 2019-10-17 22:55 ` brian m. carlson @ 2019-10-18 1:18 ` Ralph Ewig 0 siblings, 0 replies; 8+ messages in thread From: Ralph Ewig @ 2019-10-18 1:18 UTC (permalink / raw) To: brian m. carlson, Jeff King, git Understood (and agree). We do use git for source code (where we use SSH and key authentication for CI/CD), but also for configuration control of other files like financial reports, engineering drawings, etc. where access is via HTTPS. In that 2nd group the challenge is to make it as "not coding like" as possible so the non-developer crowd isn't scared off. Since we use trac for project management company wide (all verticals), my latest idea is to intercept the git http request on the server side to authenticate against the trac session info stored in the db (using a custom php script), and then pass it on to git-http-backend or throw an error prompting the user to sign into trac first. Most users are signed into trac 24/7 anyway since its central to our workflow. in the end paying the extra fee for MS Domain Services to get SSO via LDAP or Kerberos might be the right answer though - just trying to be scrappy if I can since it's an early stage startup. Nonetheless really appreciate the exchange of ideas! Ralph On 10/17/2019 3:55 PM, brian m. carlson wrote: > On 2019-10-17 at 14:33:38, Ralph Ewig wrote: >> Quick follow up question: can the git client pass >> a token read from a cookie with a request? That >> would enable users to sign-in via a browser, store >> the cookie, and then use that as the access token >> to authenticate a git request. > Git has an option, http.cookieFile, that can read a cookie from a file, > yes. That does, of course, require that you're able to put the cookie > in a file from a web browser. I'm not aware of any web browsers that > easily provide an option to dump cookies into a file. > > Also, just as a note, this approach definitely won't work for automated > systems you have, such as CI systems. That's why I suggested Kerberos: > because you can have services that have principals and you can use those > credentials in your CI systems to access code and run jobs. > > Clearly you know your infrastructure and users better than I do, but I > don't recommend having a web-based sign-on as your only form of > authentication for a Git server. It's going to cause a lot of pain and > inconvenience on all sides. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-10-18 1:18 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-10-15 15:59 git smart http + apache mod_auth_openidc Ralph Ewig 2019-10-16 23:33 ` brian m. carlson 2019-10-17 3:00 ` Ralph Ewig 2019-10-17 6:03 ` Jeff King 2019-10-17 14:21 ` Ralph Ewig 2019-10-17 14:33 ` Ralph Ewig 2019-10-17 22:55 ` brian m. carlson 2019-10-18 1:18 ` Ralph Ewig
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.