Den fre 29 mars 2024 kl 16:27 skrev EML <sa212+apa...@cyconix.com>:
> Before I do too much work on this, I'd like to do a sanity check. Does
> anyone know of a client which will access a repo over HTTPS, with an
> access/bearer token? This gives SSO and multi-factor authentication using
> OAuth2.
>
> The repo runs behind Apache httpd, which is using mod_auth_openidc. The
> config file sets 'AuthType openid-connect', and 'Require valid-user'. The
> repos additionally require a specific claim to access them ('Require claim
> x:y:z').
>
> This all works with git, using Git Credential Manager
> <https://github.com/git-ecosystem/git-credential-manager> (GCM; this is a
> cross-platform .NET Core app).
>
> Basically, two things need to be done:
>
> (1) HTTP requests need to specify 'Authorization: Bearer' with an access
> token. If you don't have an access token, something (a script, GCM,
> whatever) has to pop up a browser window and connect to an OAuth2 identity
> provider (IdP). The user then logs in (with MFA if configured), and the IdP
> then redirects back to localhost with a token. This means that the 'script'
> must also run a webserver to extract the token, which it can then add to
> the GET/POST/whatever request.
>
> (2) Subversion has to know about this in some way, and has to run the
> script to use a previously-generated token, or request a new one if
> necessary.
>
> The first step is not, I think, particularly difficult, and there are
> various existing scripts or apps out there that do some or all of the
> problem. GCM itself looks pretty complex. I'm not really sure what the
> complexity is. The choice to use .NET doesn't help (but it has to be
> multi-platform), but a lot of the complexity is presumably in how to use
> the credential manager to store tokens. There's also some complexity in
> handling different targets (GitHub, Bitbucket, Azure, whatever). However,
> there is a generic setup (which I use; this talks to Keycloak). My entire
> config (.gitconfig) to talk to Keycloak looks this:
>
> [credential]
> helper = cache --timeout 7200
> helper = "oauth"
>
> [credential "<URL>"]
> oauthScopes = "openid email"
> oauthAuthURL =
> /keycloak/realms/<REALM>/protocol/openid-connect/auth
> oauthTokenURL =
> /keycloak/realms/<REALM>/protocol/openid-connect/token
> oauthClientId = openid-cli
> oauthRedirectUri = http://127.0.0.1
> oauthClientSecret = <CLIENT-SECRET>
>
This was actually discussed over on the TortoiseSVN dev list today in the
following thread https://groups.google.com/g/tortoisesvn-dev/c/ByECclvGKi8
I think the steps outlined by Thomas Åkerström is quite similar to what you
are also suggesting.
This should probably be discussed further on d...@subversion.apache.org.
Kind regards,
Daniel
