I agree with you : redirect hell is hard to cope with when the target tool does not provide a way to authenticate use with a side-auth. (Usually it takes the form of a token send as auth. Unfortunately this is only available with Nexus Pro along SAML auth, not the OSS one)
SSO is handled by Keycloak. The client is configured with a ‘HTTP Basic auth flow’, that makes Keycloak use basic auth instead of a form for authentication. oauth2-proxy redirects the request to SSO if the right cookie is not already set. Flow would be : - Maven connect to repository, sending the Authorization header - auth cookie is not set so oauth proxy redirect the client to the SSO - as with curl’s —location-trusted, Authorization header would be sent to the SSO - the SSO accepts the auth, set the cookie and redirect the client back to the repository - the request is catched again by oauth proxy, but due to the cookie presence, it can confirm SSO auth and set the user header so Nexus Remote User Token auth is happy and artifact downloaded. Io > Le 28 nov. 2020 à 22:11, Michael Osipov <micha...@apache.org> a écrit : > > Am 2020-11-28 um 22:01 schrieb Ionel GARDAIS: >> Hi list, >> Is there a way to allow maven to send Authorization header on redirect like >> curl's --location-trusted ? >>> From what I understand, >> [ >> https://github.com/apache/maven-wagon/blob/c956aac9007303ce9e1746c834d58dff097ce3d6/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/AbstractHttpClientWagon.java#L613 >> | >> https://github.com/apache/maven-wagon/blob/c956aac9007303ce9e1746c834d58dff097ce3d6/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/AbstractHttpClientWagon.java#L613 >> ] >> restricts authentication to the target host. >> However, if an SSO redirect occurs when connecting to the maven repository, >> auth is lost as the host is likely to have a different hostname. >> Is ' maven.wagon.http.ssl.location-trusted ' something that could be >> implemented to bypass AuthScope ? >> Or alternatively, how to authenticate maven with a multi-round auth ? >> (My use case is a Nexus OSS repo with RUT enabled, behind oauth2-proxy) > > Read my extensive analysis on that topic here: > https://issues.apache.org/jira/browse/WAGON-590 > > I never liked that stupid redirect hell many systems perform these days, > including OIDC with Authorization Code Flow. > > A question aside, how do you plan to pass the flow with stock Wagon w/o > having a browser, are you using ROPC Grant? > > Michael > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 30 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
