From: Matthew John Cheetham <mjcheetham@github.com>
To: Jeff King <peff@peff.net>, Junio C Hamano <gitster@pobox.com>
Cc: Rick van Rein <rick@openfortress.nl>, git@vger.kernel.org
Subject: Re: Git over HTTP; have flexible SASL authentication
Date: Wed, 1 Feb 2023 11:36:35 -0800 [thread overview]
Message-ID: <df7fb59a-ea74-d724-46dd-9a4c32779a30@github.com> (raw)
In-Reply-To: <Y9pL0D2WuKqqwB7X@coredump.intra.peff.net>
On 2023-02-01 03:24, Jeff King wrote:
> On Fri, Jan 27, 2023 at 09:06:36AM -0800, Junio C Hamano wrote:
>
>> Rick van Rein <rick@openfortress.nl> writes:
>>
>>> Git providers are inventing proprietary extensions to HTTP authentication
>>> for Git. It seems smarter to use SASL for this purpose, possibly allowing
>>> the client a choice and authentication ringback to the client's own domain.
>>
>> To adopt things like this, the work to extend how to make extensible
>> what is on WWW-Authenticate in the thread that contains this recent
>> message https://lore.kernel.org/git/Y9LvFMzriAWUsS58@coredump.intra.peff.net/
>> may be relevant, perhaps?
>
> It's relevant, but I think there's a ways to go. That is just about
> passing WWW-Authenticate headers to helpers, which can then try to make
> sense of them. But Git would still only understand getting back a
> username/password from the helper, and passing it along to curl. And
> hopefully we'd do it all through curl's SASL support, and not invent our
> own handling.
>
> I'm not sure what all that might might look like. I'm sure Matthew has
> probably thought about it, so I'll let him say something more
> intelligent. :)
>
> -Peff
These are the same thoughts I have on this. My patches only add support for the
Git -> helper information flow, but don't make an attempt to change how helpers
can change Git's (curl's) response or behaviour.
I had earlier iterations [1] of the patch that included the ability to change
the auth type/headers that curl would respond with based on the helper's output.
For example:
protocol=https
host=example.com
password=<TOKEN>
authtype=bearer
..would have Git configure curl to set CURLOPT_XOAUTH2_BEARER. However I pulled
these patches to keep the scope of that series smaller. It's still my plan to
reintroduce such a patch series in the future.
I'd imagine that Git could advertise to helpers that its version of curl supports
SASL and a helper could enable or select this mechanism. Alternatively it could
just be a Git config to enable it outright `credential.useSasl` or something.
I haven't had chance to review SASL yet.
Thanks,
Matthew
[1] https://lore.kernel.org/git/230118.86k01kxfr7.gmgdl@evledraar.gmail.com/T/#m37fffe327593ca4f7bf32a205b7ee1d1ecd1ed46
next prev parent reply other threads:[~2023-02-01 19:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 16:34 Git over HTTP; have flexible SASL authentication Rick van Rein
2023-01-27 17:06 ` Junio C Hamano
2023-02-01 11:24 ` Jeff King
2023-02-01 19:36 ` Matthew John Cheetham [this message]
2023-02-04 11:34 ` Rick van Rein
2023-02-06 22:08 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df7fb59a-ea74-d724-46dd-9a4c32779a30@github.com \
--to=mjcheetham@github.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=rick@openfortress.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.