On 19. 5. 25 19:33, Greg Stein wrote:
[clarifying]
On Mon, May 19, 2025 at 12:28 PM Greg Stein <gst...@gmail.com> wrote:
Using an OAuth-based workflow that incorporates 2FA. That is
already possible.
I've already seen this done.
What is *really* hard is to incorporate 2FA into the svn
client/libraries. The most straightforward is to use bearer/PAT
tokens, as it requires client changes.
Mixed this up. Hard to incorporate since 2FA requires client changes.
... Given current APIs within svn, I believe the most straightforward
is bearer/PAT tokens.
And some (likely) minimal changes to the Serf API. Per above message,
ignore svn+ssh.
Probably no changes in Serf; it can be implemented directly at the RA
layer (plus callback) on our side and an authn handler on the httpd
side, all you really need is an extra HTTP req/rsp for the OTP
handshake. Would work with bearer tokens, too, it's just a lot more
complicated to implement, having more moving parts.
If it were me, I'd start with TOTP (RFC 6238), because it doesn't have
to involve a third party beyond the client and the server and it's a
known thing with multiple useful client-side implementations, from
various authenticator apps and password managers to totp-cli for the
command line and no doubt several libraries. Or we could roll our own,
it's not that hard. I'd be absolutely stunned if the HTTPd-side
integration for that doesn't already exist, probably in 79.3 different
versions (63 working and some twice that between 1% and 50% done, is
where the 16.3 comes from...).
-- Brane
