From: Matthew John Cheetham <mjcheetham@github.com>
To: Jeff King <peff@peff.net>, Junio C Hamano <gitster@pobox.com>
Cc: Rick van Rein <rick@openfortress.nl>, git@vger.kernel.org
Subject: Re: Git over HTTP; have flexible SASL authentication
Date: Wed, 1 Feb 2023 11:36:35 -0800 [thread overview]
Message-ID: <df7fb59a-ea74-d724-46dd-9a4c32779a30@github.com> (raw)
In-Reply-To: <Y9pL0D2WuKqqwB7X@coredump.intra.peff.net>
On 2023-02-01 03:24, Jeff King wrote:
> On Fri, Jan 27, 2023 at 09:06:36AM -0800, Junio C Hamano wrote:
>
>> Rick van Rein <rick@openfortress.nl> writes:
>>
>>> Git providers are inventing proprietary extensions to HTTP authentication
>>> for Git. It seems smarter to use SASL for this purpose, possibly allowing
>>> the client a choice and authentication ringback to the client's own domain.
>>
>> To adopt things like this, the work to extend how to make extensible
>> what is on WWW-Authenticate in the thread that contains this recent
>> message https://lore.kernel.org/git/Y9LvFMzriAWUsS58@coredump.intra.peff.net/
>> may be relevant, perhaps?
>
> It's relevant, but I think there's a ways to go. That is just about
> passing WWW-Authenticate headers to helpers, which can then try to make
> sense of them. But Git would still only understand getting back a
> username/password from the helper, and passing it along to curl. And
> hopefully we'd do it all through curl's SASL support, and not invent our
> own handling.
>
> I'm not sure what all that might might look like. I'm sure Matthew has
> probably thought about it, so I'll let him say something more
> intelligent. :)
>
> -Peff
These are the same thoughts I have on this. My patches only add support for the
Git -> helper information flow, but don't make an attempt to change how helpers
can change Git's (curl's) response or behaviour.
I had earlier iterations [1] of the patch that included the ability to change
the auth type/headers that curl would respond with based on the helper's output.
For example:
protocol=https
host=example.com
password=<TOKEN>
authtype=bearer
..would have Git configure curl to set CURLOPT_XOAUTH2_BEARER. However I pulled
these patches to keep the scope of that series smaller. It's still my plan to
reintroduce such a patch series in the future.
I'd imagine that Git could advertise to helpers that its version of curl supports
SASL and a helper could enable or select this mechanism. Alternatively it could
just be a Git config to enable it outright `credential.useSasl` or something.
I haven't had chance to review SASL yet.
Thanks,
Matthew
[1] https://lore.kernel.org/git/230118.86k01kxfr7.gmgdl@evledraar.gmail.com/T/#m37fffe327593ca4f7bf32a205b7ee1d1ecd1ed46
next prev parent reply other threads:[~2023-02-01 19:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 16:34 Git over HTTP; have flexible SASL authentication Rick van Rein
2023-01-27 17:06 ` Junio C Hamano
2023-02-01 11:24 ` Jeff King
2023-02-01 19:36 ` Matthew John Cheetham [this message]
2023-02-04 11:34 ` Rick van Rein
2023-02-06 22:08 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df7fb59a-ea74-d724-46dd-9a4c32779a30@github.com \
--to=mjcheetham@github.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=rick@openfortress.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).