Hi,
I'm working on a proof of concept to add multi factor authentication to
subversion
I have multiple directions, and I'd like to get some feedback from this
group before I head down the wrong road
Please let me know, if I should read up on any of these, I did not find
any recent conversation about these topics
1. One option would be to extend the existing Basic auth with another
challenge. This would support standard TOTP without external connections
I couldn't find any standard way to communicating this through HTTP, my
best solution would be to
1.A extend the 401 response with information that the system also needs
a TOTP token
I've only found the realm string I can use for this without modifying
the serf library
1.B reject the username + password attempt with a different 401
This would have to be handled inside the serf library
2. Provide an external login path instead Basic auth. This would open up
using oauth or similar external providers, but a web based provider
could be run besides svn as well
The server would respond with a 30X response, and the cmdline could
print the url for the user to open, login and return to the terminal
after authentication
This would feel less native, but pretty common these days
All of the solutions above would result in a HTTP cookie that would be
stored encrypted in the auth folder, and sent with every subsequent request
Do you have any thoughts or preferences about this?
Do you see any technical or security issue with these?
Best regards,
Peter
