Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web server auth for generic OAuth remotes #42

Open
vdye opened this issue Apr 14, 2023 · 1 comment
Open

Web server auth for generic OAuth remotes #42

vdye opened this issue Apr 14, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@vdye
Copy link
Collaborator

vdye commented Apr 14, 2023
edited
Loading

Depends on #41

For hosts like GitHub, GitLab, etc., we want to be able to validate users making requests to the bundle server against the associated host repo permissions. For example, in a bundle server with the routes:

example/public-repo    https://github.com/example/public-repo
example/private-repo   https://github.com/example/private-repo

if a given user has access to public-repo but not private-repo, they should be able to download bundles only for public-repo. However, we don't want the bundle server managing user credentials.

The proposed approach is to have the bundle server use an OAuth Authorization Code Grant workflow to be able to make requests to the remote host on the user's behalf, then have it make a request (e.g. https://api.github.com/repos/<route>) to determine whether the user has access to a given repository (possibly caching the result to avoid hitting request rate limits).

Because bundle server requests are primarily made through Git, the authorization code will need to be sent as a credential through the configured Git credential helper. The default experience (command line username/PW) will be ugly, requiring users to manually construct the authorization server request - including the bundle server client ID - then provide the authorization code as the prompt's "password". More user-friendly credential helpers, like Git Credential Manager, can be pre-configured with the bundle server's OAuth parameters.

A follow-up task to this will be figuring out a way to make this a more user-friendly experience in GCM. That may include implementing a bundle web server endpoint to enable OIDC discovery, then having GCM discover those settings when the bundle server identifies a realm via the WWW-Authenticate header.

Risks/Concerns:

  • performance vs. correctness w.r.t caching repo access result
  • if we need to request a new access token for every request, is that going to be slow or hit rate limits?
    • maybe instead we just have the filled credential be the access token, not the authorization code
@vdye vdye added the enhancement New feature or request label Apr 14, 2023
@vtbassmatt
Copy link

We validated with one early adopter that this is strongly desired. Paraphrasing, they told us:

Ideally, we would drive all access control from our directory system. We aren't there yet, so the GitHub server is our source of truth for who can access what repositories.

In the future, it will still be fine to get access control information from the GitHub server. The GitHub server will transitively get its access control information from their directory system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vtbassmatt @vdye