* Git over HTTP; have flexible SASL authentication
@ 2023-01-27 16:34 Rick van Rein
2023-01-27 17:06 ` Junio C Hamano
0 siblings, 1 reply; 6+ messages in thread
From: Rick van Rein @ 2023-01-27 16:34 UTC (permalink / raw)
To: git
Hello,
Git providers are inventing proprietary extensions to HTTP authentication
for Git. It seems smarter to use SASL for this purpose, possibly allowing
the client a choice and authentication ringback to the client's own domain.
I wrote an Internet Draft to allow just that, and we implemented it for
Apache, Nginx and FireFox. I would love to learn if this list considers
it a sensible extensions to Git.
https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl
If you think this is useful, it would be wonderful to mention that on the
HTTP WorkGroup list as well, because they are now considering HTTP-SASL
for adoption, a formal requisite to send "Authorization: SASL" headers.
https://datatracker.ietf.org/wg/httpbis/about/
Thanks!
Rick van Rein
InternetWide.org
Apache :- https://gitlab.com/arpa2/apachemod/-/tree/master/arpa2_sasl
https://gitlab.com/arpa2/apachemod/-/tree/master/arpa2_diasasl
Nginx :- https://github.com/stef/ngx_http_auth_sasl_module
FireFox :- https://gitlab.com/arpa2/http_sasl_client
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Git over HTTP; have flexible SASL authentication 2023-01-27 16:34 Git over HTTP; have flexible SASL authentication Rick van Rein @ 2023-01-27 17:06 ` Junio C Hamano 2023-02-01 11:24 ` Jeff King 2023-02-04 11:34 ` Rick van Rein 0 siblings, 2 replies; 6+ messages in thread From: Junio C Hamano @ 2023-01-27 17:06 UTC (permalink / raw) To: Rick van Rein; +Cc: git, Jeff King, Matthew John Cheetham Rick van Rein <rick@openfortress•nl> writes: > Git providers are inventing proprietary extensions to HTTP authentication > for Git. It seems smarter to use SASL for this purpose, possibly allowing > the client a choice and authentication ringback to the client's own domain. To adopt things like this, the work to extend how to make extensible what is on WWW-Authenticate in the thread that contains this recent message https://lore.kernel.org/git/Y9LvFMzriAWUsS58@coredump.intra.peff.net/ may be relevant, perhaps? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Git over HTTP; have flexible SASL authentication 2023-01-27 17:06 ` Junio C Hamano @ 2023-02-01 11:24 ` Jeff King 2023-02-01 19:36 ` Matthew John Cheetham 2023-02-04 11:34 ` Rick van Rein 1 sibling, 1 reply; 6+ messages in thread From: Jeff King @ 2023-02-01 11:24 UTC (permalink / raw) To: Junio C Hamano; +Cc: Rick van Rein, git, Matthew John Cheetham On Fri, Jan 27, 2023 at 09:06:36AM -0800, Junio C Hamano wrote: > Rick van Rein <rick@openfortress•nl> writes: > > > Git providers are inventing proprietary extensions to HTTP authentication > > for Git. It seems smarter to use SASL for this purpose, possibly allowing > > the client a choice and authentication ringback to the client's own domain. > > To adopt things like this, the work to extend how to make extensible > what is on WWW-Authenticate in the thread that contains this recent > message https://lore.kernel.org/git/Y9LvFMzriAWUsS58@coredump.intra.peff.net/ > may be relevant, perhaps? It's relevant, but I think there's a ways to go. That is just about passing WWW-Authenticate headers to helpers, which can then try to make sense of them. But Git would still only understand getting back a username/password from the helper, and passing it along to curl. And hopefully we'd do it all through curl's SASL support, and not invent our own handling. I'm not sure what all that might might look like. I'm sure Matthew has probably thought about it, so I'll let him say something more intelligent. :) -Peff ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Git over HTTP; have flexible SASL authentication 2023-02-01 11:24 ` Jeff King @ 2023-02-01 19:36 ` Matthew John Cheetham 0 siblings, 0 replies; 6+ messages in thread From: Matthew John Cheetham @ 2023-02-01 19:36 UTC (permalink / raw) To: Jeff King, Junio C Hamano; +Cc: Rick van Rein, git On 2023-02-01 03:24, Jeff King wrote: > On Fri, Jan 27, 2023 at 09:06:36AM -0800, Junio C Hamano wrote: > >> Rick van Rein <rick@openfortress•nl> writes: >> >>> Git providers are inventing proprietary extensions to HTTP authentication >>> for Git. It seems smarter to use SASL for this purpose, possibly allowing >>> the client a choice and authentication ringback to the client's own domain. >> >> To adopt things like this, the work to extend how to make extensible >> what is on WWW-Authenticate in the thread that contains this recent >> message https://lore.kernel.org/git/Y9LvFMzriAWUsS58@coredump.intra.peff.net/ >> may be relevant, perhaps? > > It's relevant, but I think there's a ways to go. That is just about > passing WWW-Authenticate headers to helpers, which can then try to make > sense of them. But Git would still only understand getting back a > username/password from the helper, and passing it along to curl. And > hopefully we'd do it all through curl's SASL support, and not invent our > own handling. > > I'm not sure what all that might might look like. I'm sure Matthew has > probably thought about it, so I'll let him say something more > intelligent. :) > > -Peff These are the same thoughts I have on this. My patches only add support for the Git -> helper information flow, but don't make an attempt to change how helpers can change Git's (curl's) response or behaviour. I had earlier iterations [1] of the patch that included the ability to change the auth type/headers that curl would respond with based on the helper's output. For example: protocol=https host=example.com password=<TOKEN> authtype=bearer ..would have Git configure curl to set CURLOPT_XOAUTH2_BEARER. However I pulled these patches to keep the scope of that series smaller. It's still my plan to reintroduce such a patch series in the future. I'd imagine that Git could advertise to helpers that its version of curl supports SASL and a helper could enable or select this mechanism. Alternatively it could just be a Git config to enable it outright `credential.useSasl` or something. I haven't had chance to review SASL yet. Thanks, Matthew [1] https://lore.kernel.org/git/230118.86k01kxfr7.gmgdl@evledraar.gmail.com/T/#m37fffe327593ca4f7bf32a205b7ee1d1ecd1ed46 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Git over HTTP; have flexible SASL authentication 2023-01-27 17:06 ` Junio C Hamano 2023-02-01 11:24 ` Jeff King @ 2023-02-04 11:34 ` Rick van Rein 2023-02-06 22:08 ` Junio C Hamano 1 sibling, 1 reply; 6+ messages in thread From: Rick van Rein @ 2023-02-04 11:34 UTC (permalink / raw) To: Junio C Hamano; +Cc: git, Jeff King, Matthew John Cheetham Hi Junio, (Sorry for the late reply) > > Git providers are inventing proprietary extensions to HTTP authentication > > for Git. It seems smarter to use SASL for this purpose, possibly allowing > > the client a choice and authentication ringback to the client's own domain. > > To adopt things like this, the work to extend how to make extensible > what is on WWW-Authenticate in the thread that contains this recent > message https://lore.kernel.org/git/Y9LvFMzriAWUsS58@coredump.intra.peff.net/ > may be relevant, perhaps? This framework tries to get away from just Basic / Digest auth, but if I read correctly, it still assumes a single authentication step, which greatly reduces the strength of authentication. SASL assumes that the endpoints can hold state and progress through any challenge/response exchange, in multiple steps if needed. This is not trivial with stateless HTTP, but we fixed it with a "s2s" argument which can hold the (datestamped, signed, encrypted) state on the server side. A few mechanisms that spring to mind as useful with Git over HTTP-SASL are - Kerberos / GSS-API, desirable for companies using its single sign-on _ FIDO, currently being added to SASL to benefit all protocols - OPAQUE, a very modern crypto, developed in IETF now - SXOVER-PLUS, our own work that calls back to a user's domain for login (so no server-stored credentials needed, only access control) I'm curious if this would indeed be considered an improvement to Git. Cheers, -Rick ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Git over HTTP; have flexible SASL authentication 2023-02-04 11:34 ` Rick van Rein @ 2023-02-06 22:08 ` Junio C Hamano 0 siblings, 0 replies; 6+ messages in thread From: Junio C Hamano @ 2023-02-06 22:08 UTC (permalink / raw) To: Rick van Rein; +Cc: git, Jeff King, Matthew John Cheetham Rick van Rein <rick@openfortress•nl> writes: > SASL assumes that the endpoints can hold state and progress through any > challenge/response exchange, in multiple steps if needed. This is not > trivial with stateless HTTP, but we fixed it with a "s2s" argument which > can hold the (datestamped, signed, encrypted) state on the server side. That's nice to know, and its applications below do look useful, at least to me. > A few mechanisms that spring to mind as useful with Git over HTTP-SASL are > > - Kerberos / GSS-API, desirable for companies using its single sign-on > _ FIDO, currently being added to SASL to benefit all protocols > - OPAQUE, a very modern crypto, developed in IETF now > - SXOVER-PLUS, our own work that calls back to a user's domain for login > (so no server-stored credentials needed, only access control) > > I'm curious if this would indeed be considered an improvement to Git. > > Cheers, > -Rick ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-02-06 22:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-01-27 16:34 Git over HTTP; have flexible SASL authentication Rick van Rein 2023-01-27 17:06 ` Junio C Hamano 2023-02-01 11:24 ` Jeff King 2023-02-01 19:36 ` Matthew John Cheetham 2023-02-04 11:34 ` Rick van Rein 2023-02-06 22:08 ` Junio C Hamano
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox