Am 2020-11-28 um 22:51 schrieb Ionel GARDAIS:
I agree with you : redirect hell is hard to cope with when the target tool does
not provide a way to authenticate use with a side-auth. (Usually it takes the
form of a token send as auth. Unfortunately this is only available with Nexus
Pro along SAML auth, not the OSS one)
SSO is handled by Keycloak.
OK, I snoped a bit into Keycloak. Seems to be a decent OpenID Connect
provider. My experience is limited to Ping Identity at work.
The client is configured with a ‘HTTP Basic auth flow’, that makes Keycloak use
basic auth instead of a form for authentication.
oauth2-proxy redirects the request to SSO if the right cookie is not already
set.
Flow would be :
- Maven connect to repository, sending the Authorization header
Can you elaborate this step? How is Maven supposed to send a header when
the target server never challenges the client?
- auth cookie is not set so oauth proxy redirect the client to the SSO
- as with curl’s —location-trusted, Authorization header would be sent to the
SSO
So, Keycloak does challenge the client with Basic?
- the SSO accepts the auth, set the cookie and redirect the client back to the
repository
- the request is catched again by oauth proxy, but due to the cookie presence,
it can confirm SSO auth and set the user header so Nexus Remote User Token auth
is happy and artifact downloaded.
I assume the token cookie is scoped for your entire enterprise domain?
How do you pass the sub claim to Nexus? With RUT (claim-to-header
transformation)?
M
Le 28 nov. 2020 à 22:11, Michael Osipov <[email protected]> a écrit :
Am 2020-11-28 um 22:01 schrieb Ionel GARDAIS:
Hi list,
Is there a way to allow maven to send Authorization header on redirect like
curl's --location-trusted ?
From what I understand,
[
https://github.com/apache/maven-wagon/blob/c956aac9007303ce9e1746c834d58dff097ce3d6/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/AbstractHttpClientWagon.java#L613
|
https://github.com/apache/maven-wagon/blob/c956aac9007303ce9e1746c834d58dff097ce3d6/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/AbstractHttpClientWagon.java#L613
]
restricts authentication to the target host.
However, if an SSO redirect occurs when connecting to the maven repository,
auth is lost as the host is likely to have a different hostname.
Is ' maven.wagon.http.ssl.location-trusted ' something that could be
implemented to bypass AuthScope ?
Or alternatively, how to authenticate maven with a multi-round auth ?
(My use case is a Nexus OSS repo with RUT enabled, behind oauth2-proxy)
Read my extensive analysis on that topic here:
https://issues.apache.org/jira/browse/WAGON-590
I never liked that stupid redirect hell many systems perform these days,
including OIDC with Authorization Code Flow.
A question aside, how do you plan to pass the flow with stock Wagon w/o having
a browser, are you using ROPC Grant?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 30
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
