git smart http + apache mod_auth_openidc

git smart http + apache mod_auth_openidc

[Ralph Ewig]

Hi Everyone, hoping you might have a solution for 
this problem:

CONTEXT

  * I'm serving git repos using "smart https" via 
apache and basic authentication; everything works 
fine.
  * We're moving to SSO via Azure AD and apache 
mod_auth_openidc; this works fine for gitweb (on 
the same server as git).

PROBLEM

When trying to clone a repo with the OIDC setup, 
git breaks on the redirect for user authentication 
with the following error message (replaced server 
ids etc with xxx):

     C:\Users\void>git clone --progress -v 
"https://git.xxx.xxx/WebApps.git"
     Cloning into 'WebApps'...
     fatal: unable to update url base from 
redirection:
       asked for: 
https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack
        redirect: 
https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx


Can the git client just not handle a web based 
redirect for login, or is this a configuration 
issue? Any ideas would be greatly appreciated. Thanks!

Ralph

Re: git smart http + apache mod_auth_openidc

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 2168 bytes --]

On 2019-10-15 at 15:59:03, Ralph Ewig wrote:
> Hi Everyone, hoping you might have a solution for 
> this problem:
> 
> CONTEXT
> 
>   * I'm serving git repos using "smart https" via 
> apache and basic authentication; everything works 
> fine.
>   * We're moving to SSO via Azure AD and apache 
> mod_auth_openidc; this works fine for gitweb (on 
> the same server as git).
> 
> PROBLEM
> 
> When trying to clone a repo with the OIDC setup, 
> git breaks on the redirect for user authentication 
> with the following error message (replaced server 
> ids etc with xxx):
> 
>      C:\Users\void>git clone --progress -v 
> "https://git.xxx.xxx/WebApps.git"
>      Cloning into 'WebApps'...
>      fatal: unable to update url base from 
> redirection:
>        asked for: 
> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack
>         redirect: 
> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx
> 
> 
> Can the git client just not handle a web based 
> redirect for login, or is this a configuration 
> issue? Any ideas would be greatly appreciated. Thanks!

The Git client doesn't handle any sort of web-based login.  In general,
in order to do web-based login, you have to provide a fully functional
graphical web browser, and Git operates in many environments that don't
have one (such as servers, containers, and headless systems).

You should treat your Git server like you would treat any API you may
access, since essentially it is one.  That means that you would need to
provide a way to use some sort of external credential.

I know next to nothing about Azure AD, but it claims to support
Kerberos, so you may be able to use that in conjunction with libcurl's
GSS-Negotiate support and Apache's mod_auth_kerb (which is shipped in
Debian).  I use Kerberos-based authentication for my personal server
(which is Linux, not AD) and it does work, so it is possible to set up.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]

Re: git smart http + apache mod_auth_openidc

[Ralph Ewig]

Thanks for the reply. I was hoping the Git GUI 
might be able to handle the OpenID authentication 
flow, but it makes sense that it would be 
inconsistent with other git clients.

Azure AD does support both LDAP and Kerberos, but 
unfortunately only as an extra cost add-on called 
"Domain Services". I might try to hack up a script 
to just sync the Azure AD password hashes to the 
htpassword file. Otherwise I guess I'll have to 
bite the bullet and pay the extra bill.

Nonetheless, thank you for the suggestion!
Ralph


On 10/16/2019 4:33 PM, brian m. carlson wrote:
> On 2019-10-15 at 15:59:03, Ralph Ewig wrote:
>> Hi Everyone, hoping you might have a solution for
>> this problem:
>>
>> CONTEXT
>>
>>    * I'm serving git repos using "smart https" via
>> apache and basic authentication; everything works
>> fine.
>>    * We're moving to SSO via Azure AD and apache
>> mod_auth_openidc; this works fine for gitweb (on
>> the same server as git).
>>
>> PROBLEM
>>
>> When trying to clone a repo with the OIDC setup,
>> git breaks on the redirect for user authentication
>> with the following error message (replaced server
>> ids etc with xxx):
>>
>>       C:\Users\void>git clone --progress -v
>> "https://git.xxx.xxx/WebApps.git"
>>       Cloning into 'WebApps'...
>>       fatal: unable to update url base from
>> redirection:
>>         asked for:
>> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack
>>          redirect:
>> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx
>>
>>
>> Can the git client just not handle a web based
>> redirect for login, or is this a configuration
>> issue? Any ideas would be greatly appreciated. Thanks!
> The Git client doesn't handle any sort of web-based login.  In general,
> in order to do web-based login, you have to provide a fully functional
> graphical web browser, and Git operates in many environments that don't
> have one (such as servers, containers, and headless systems).
>
> You should treat your Git server like you would treat any API you may
> access, since essentially it is one.  That means that you would need to
> provide a way to use some sort of external credential.
>
> I know next to nothing about Azure AD, but it claims to support
> Kerberos, so you may be able to use that in conjunction with libcurl's
> GSS-Negotiate support and Apache's mod_auth_kerb (which is shipped in
> Debian).  I use Kerberos-based authentication for my personal server
> (which is Linux, not AD) and it does work, so it is possible to set up.

Re: git smart http + apache mod_auth_openidc

[Jeff King]

On Thu, Oct 17, 2019 at 03:00:58AM +0000, Ralph Ewig wrote:

> Thanks for the reply. I was hoping the Git GUI 
> might be able to handle the OpenID authentication 
> flow, but it makes sense that it would be 
> inconsistent with other git clients.

I don't think we'd ever do the full flow, but it might be that it's
possible to use a token generated by the flow in a separate browser
session. This is easy to do if you can provide the token to the server
in place of a password. E.g., if you use 2FA on GitHub, you can generate
a limited token that allows you to connect for Git operations.

You can also use time-limited tokens and feed them from a custom
credential helper, which does the full authentication flow from a web
browser. I think Google does (or did) have such a thing internally, but
I don't think any part of it was made public (it was discussed on the
list a couple times in the early days of credential helpers).

That would still have to end up with a token "password" to send over
basic auth, I think. There was some discussion a while back of letting
credential helpers pass back content for HTTP "Authorization" headers,
but I don't think anything was ever merged.

> >>       C:\Users\void>git clone --progress -v
> >> "https://git.xxx.xxx/WebApps.git"
> >>       Cloning into 'WebApps'...
> >>       fatal: unable to update url base from
> >> redirection:
> >>         asked for:
> >> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack
> >>          redirect:
> >> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx

You're running into one other complexity here, which is that we don't
allow cross-server redirects during the initial conversation. So even if
you did have an auth flow where we could somehow provide all the
information via Git, we'd still be unhappy about bouncing between
multiple servers.

Mostly that's there to avoid leaking credentials. We only have one
notion of "the username and password we're using" for a given fetch, so
we want to avoid leaking it if we're redirected to another server. But
obviously Git _could_ be smarter there, if this was the only blocker
remaining (but from my understanding of OpenID, it's not).

-Peff

Re: git smart http + apache mod_auth_openidc

[Ralph Ewig]

Interesting ... I have not looked at access tokens 
before, but did find some documentation online 
that describes how Azure AD Jason Web Tokens can 
be used to authenticate a headless API 
(https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens), 


This seems to be a fit in this scenario, but  is 
admittedly a bit deeper into the weeds than I'm 
familiar with. I'll keep digging in to see if I 
can find a solution along that route. Really 
appreciate the pointer!

Ralph


On 10/16/2019 11:03 PM, Jeff King wrote:
> On Thu, Oct 17, 2019 at 03:00:58AM +0000, Ralph Ewig wrote:
>
>> Thanks for the reply. I was hoping the Git GUI
>> might be able to handle the OpenID authentication
>> flow, but it makes sense that it would be
>> inconsistent with other git clients.
> I don't think we'd ever do the full flow, but it might be that it's
> possible to use a token generated by the flow in a separate browser
> session. This is easy to do if you can provide the token to the server
> in place of a password. E.g., if you use 2FA on GitHub, you can generate
> a limited token that allows you to connect for Git operations.
>
> You can also use time-limited tokens and feed them from a custom
> credential helper, which does the full authentication flow from a web
> browser. I think Google does (or did) have such a thing internally, but
> I don't think any part of it was made public (it was discussed on the
> list a couple times in the early days of credential helpers).
>
> That would still have to end up with a token "password" to send over
> basic auth, I think. There was some discussion a while back of letting
> credential helpers pass back content for HTTP "Authorization" headers,
> but I don't think anything was ever merged.
>
>>>>        C:\Users\void>git clone --progress -v
>>>> "https://git.xxx.xxx/WebApps.git"
>>>>        Cloning into 'WebApps'...
>>>>        fatal: unable to update url base from
>>>> redirection:
>>>>          asked for:
>>>> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack
>>>>           redirect:
>>>> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx
> You're running into one other complexity here, which is that we don't
> allow cross-server redirects during the initial conversation. So even if
> you did have an auth flow where we could somehow provide all the
> information via Git, we'd still be unhappy about bouncing between
> multiple servers.
>
> Mostly that's there to avoid leaking credentials. We only have one
> notion of "the username and password we're using" for a given fetch, so
> we want to avoid leaking it if we're redirected to another server. But
> obviously Git _could_ be smarter there, if this was the only blocker
> remaining (but from my understanding of OpenID, it's not).
>
> -Peff

Re: git smart http + apache mod_auth_openidc

[Ralph Ewig]

Quick follow up question: can the git client pass 
a token read from a cookie with a request? That 
would enable users to sign-in via a browser, store 
the cookie, and then use that as the access token 
to authenticate a git request.


On 10/16/2019 11:03 PM, Jeff King wrote:
> On Thu, Oct 17, 2019 at 03:00:58AM +0000, Ralph Ewig wrote:
>
>> Thanks for the reply. I was hoping the Git GUI
>> might be able to handle the OpenID authentication
>> flow, but it makes sense that it would be
>> inconsistent with other git clients.
> I don't think we'd ever do the full flow, but it might be that it's
> possible to use a token generated by the flow in a separate browser
> session. This is easy to do if you can provide the token to the server
> in place of a password. E.g., if you use 2FA on GitHub, you can generate
> a limited token that allows you to connect for Git operations.
>
> You can also use time-limited tokens and feed them from a custom
> credential helper, which does the full authentication flow from a web
> browser. I think Google does (or did) have such a thing internally, but
> I don't think any part of it was made public (it was discussed on the
> list a couple times in the early days of credential helpers).
>
> That would still have to end up with a token "password" to send over
> basic auth, I think. There was some discussion a while back of letting
> credential helpers pass back content for HTTP "Authorization" headers,
> but I don't think anything was ever merged.
>
>>>>        C:\Users\void>git clone --progress -v
>>>> "https://git.xxx.xxx/WebApps.git"
>>>>        Cloning into 'WebApps'...
>>>>        fatal: unable to update url base from
>>>> redirection:
>>>>          asked for:
>>>> https://git.xxx.xxx/WebApps.git/info/refs?service=git-upload-pack
>>>>           redirect:
>>>> https://login.microsoftonline.com/xxx/oauth2/authorize?response_type=code&scope=openid&client_id=xxx&state=xxx&redirect_uri=https%3A%2F%2Fgit.xxx.xxx%2Fredirect&nonce=xxx
> You're running into one other complexity here, which is that we don't
> allow cross-server redirects during the initial conversation. So even if
> you did have an auth flow where we could somehow provide all the
> information via Git, we'd still be unhappy about bouncing between
> multiple servers.
>
> Mostly that's there to avoid leaking credentials. We only have one
> notion of "the username and password we're using" for a given fetch, so
> we want to avoid leaking it if we're redirected to another server. But
> obviously Git _could_ be smarter there, if this was the only blocker
> remaining (but from my understanding of OpenID, it's not).
>
> -Peff

Re: git smart http + apache mod_auth_openidc

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1167 bytes --]

On 2019-10-17 at 14:33:38, Ralph Ewig wrote:
> Quick follow up question: can the git client pass
> a token read from a cookie with a request? That
> would enable users to sign-in via a browser, store
> the cookie, and then use that as the access token
> to authenticate a git request.

Git has an option, http.cookieFile, that can read a cookie from a file,
yes.  That does, of course, require that you're able to put the cookie
in a file from a web browser.  I'm not aware of any web browsers that
easily provide an option to dump cookies into a file.

Also, just as a note, this approach definitely won't work for automated
systems you have, such as CI systems.  That's why I suggested Kerberos:
because you can have services that have principals and you can use those
credentials in your CI systems to access code and run jobs.

Clearly you know your infrastructure and users better than I do, but I
don't recommend having a web-based sign-on as your only form of
authentication for a Git server.  It's going to cause a lot of pain and
inconvenience on all sides.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]

Re: git smart http + apache mod_auth_openidc

[Ralph Ewig]

Understood (and agree).

We do use git for source code (where we use SSH 
and key authentication for CI/CD), but also for 
configuration control of other files like 
financial reports, engineering drawings, etc. 
where access is via HTTPS.  In that 2nd group the 
challenge is to make it as "not coding like" as 
possible so the non-developer crowd isn't scared off.

Since we use trac for project management company 
wide (all verticals), my latest idea is to 
intercept the git http request on the server side 
to authenticate against the trac session info 
stored in the db (using a custom php script),  and 
then pass it on to git-http-backend or throw an 
error prompting the user to sign into trac first. 
Most users are signed into trac 24/7 anyway since 
its central to our workflow.

in the end paying the extra fee for MS Domain 
Services to get SSO via LDAP or Kerberos might be 
the right answer though - just trying to be 
scrappy if I can since it's an early stage 
startup. Nonetheless really appreciate the 
exchange of ideas!

Ralph


On 10/17/2019 3:55 PM, brian m. carlson wrote:
> On 2019-10-17 at 14:33:38, Ralph Ewig wrote:
>> Quick follow up question: can the git client pass
>> a token read from a cookie with a request? That
>> would enable users to sign-in via a browser, store
>> the cookie, and then use that as the access token
>> to authenticate a git request.
> Git has an option, http.cookieFile, that can read a cookie from a file,
> yes.  That does, of course, require that you're able to put the cookie
> in a file from a web browser.  I'm not aware of any web browsers that
> easily provide an option to dump cookies into a file.
>
> Also, just as a note, this approach definitely won't work for automated
> systems you have, such as CI systems.  That's why I suggested Kerberos:
> because you can have services that have principals and you can use those
> credentials in your CI systems to access code and run jobs.
>
> Clearly you know your infrastructure and users better than I do, but I
> don't recommend having a web-based sign-on as your only form of
> authentication for a Git server.  It's going to cause a lot of pain and
> inconvenience on all sides.