Am 2020-11-28 um 22:01 schrieb Ionel GARDAIS:
Hi list,
Is there a way to allow maven to send Authorization header on redirect like
curl's --location-trusted ?
From what I understand,
[
https://github.com/apache/maven-wagon/blob/c956aac9007303ce9e1746c834d58dff097ce3d6/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/AbstractHttpClientWagon.java#L613
|
https://github.com/apache/maven-wagon/blob/c956aac9007303ce9e1746c834d58dff097ce3d6/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/AbstractHttpClientWagon.java#L613
]
restricts authentication to the target host.
However, if an SSO redirect occurs when connecting to the maven repository,
auth is lost as the host is likely to have a different hostname.
Is ' maven.wagon.http.ssl.location-trusted ' something that could be
implemented to bypass AuthScope ?
Or alternatively, how to authenticate maven with a multi-round auth ?
(My use case is a Nexus OSS repo with RUT enabled, behind oauth2-proxy)
Read my extensive analysis on that topic here:
https://issues.apache.org/jira/browse/WAGON-590
I never liked that stupid redirect hell many systems perform these days,
including OIDC with Authorization Code Flow.
A question aside, how do you plan to pass the flow with stock Wagon w/o
having a browser, are you using ROPC Grant?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
