Before I do too much work on this, I'd like to do a sanity check. Does
anyone know of a client which will access a repo over HTTPS, with an
access/bearer token? This gives SSO and multi-factor authentication
using OAuth2.
The repo runs behind Apache httpd, which is using mod_auth_openidc. The
config file sets 'AuthType openid-connect', and 'Require valid-user'.
The repos additionally require a specific claim to access them ('Require
claim x:y:z').
This all works with git, using Git Credential Manager
<https://github.com/git-ecosystem/git-credential-manager> (GCM; this is
a cross-platform .NET Core app).
Basically, two things need to be done:
(1) HTTP requests need to specify 'Authorization: Bearer' with an access
token. If you don't have an access token, something (a script, GCM,
whatever) has to pop up a browser window and connect to an OAuth2
identity provider (IdP). The user then logs in (with MFA if configured),
and the IdP then redirects back to localhost with a token. This means
that the 'script' must also run a webserver to extract the token, which
it can then add to the GET/POST/whatever request.
(2) Subversion has to know about this in some way, and has to run the
script to use a previously-generated token, or request a new one if
necessary.
The first step is not, I think, particularly difficult, and there are
various existing scripts or apps out there that do some or all of the
problem. GCM itself looks pretty complex. I'm not really sure what the
complexity is. The choice to use .NET doesn't help (but it has to be
multi-platform), but a lot of the complexity is presumably in how to use
the credential manager to store tokens. There's also some complexity in
handling different targets (GitHub, Bitbucket, Azure, whatever).
However, there is a generic setup (which I use; this talks to Keycloak).
My entire config (.gitconfig) to talk to Keycloak looks this:
[credential]
helper = cache --timeout 7200
helper = "oauth"
[credential "<URL>"]
oauthScopes = "openid email"
oauthAuthURL =
/keycloak/realms/<REALM>/protocol/openid-connect/auth
oauthTokenURL =
/keycloak/realms/<REALM>/protocol/openid-connect/token
oauthClientId = openid-cli
oauthRedirectUri = http://127.0.0.1
oauthClientSecret = <CLIENT-SECRET>