Repo access with HTTPS and an access token (or: GCM for svn?)

Fri, 29 Mar 2024 08:27:46 -0700

Before I do too much work on this, I'd like to do a sanity check. Does anyone know of a client which will access a repo over HTTPS, with an access/bearer token? This gives SSO and multi-factor authentication using OAuth2.
The repo runs behind Apache httpd, which is using mod_auth_openidc. The config file sets 'AuthType openid-connect', and 'Require valid-user'. The repos additionally require a specific claim to access them ('Require claim x:y:z'). 


This all works with git, using Git Credential Manager 
<https://github.com/git-ecosystem/git-credential-manager> (GCM; this is 
a cross-platform .NET Core app).


Basically, two things need to be done:


(1) HTTP requests need to specify 'Authorization: Bearer' with an access 
token. If you don't have an access token, something (a script, GCM, 
whatever) has to pop up a browser window and connect to an OAuth2 
identity provider (IdP). The user then logs in (with MFA if configured), 
and the IdP then redirects back to localhost with a token. This means 
that the 'script' must also run a webserver to extract the token, which 
it can then add to the GET/POST/whatever request.



(2) Subversion has to know about this in some way, and has to run the 
script to use a previously-generated token, or request a new one if 
necessary.



The first step is not, I think, particularly difficult, and there are 
various existing scripts or apps out there that do some or all of the 
problem. GCM itself looks pretty complex. I'm not really sure what the 
complexity is. The choice to use .NET doesn't help (but it has to be 
multi-platform), but a lot of the complexity is presumably in how to use 
the credential manager to store tokens. There's also some complexity in 
handling different targets (GitHub, Bitbucket, Azure, whatever). 
However, there is a generic setup (which I use; this talks to Keycloak). 
My entire config (.gitconfig) to talk to Keycloak looks this:


[credential]
        helper = cache --timeout 7200
        helper = "oauth"

[credential "<URL>"]
        oauthScopes       = "openid email"

        oauthAuthURL      = 
/keycloak/realms/<REALM>/protocol/openid-connect/auth
        oauthTokenURL     = 
/keycloak/realms/<REALM>/protocol/openid-connect/token

        oauthClientId     = openid-cli
        oauthRedirectUri  = http://127.0.0.1
        oauthClientSecret = <CLIENT-SECRET>























					Reply via email to