ADFS web application proxy support #884
Comments
|
So now I can provide some more detailed information after digging a little bit deeper into the authentification flow. The good news is we don't need cookies. 👍 And I have a working git credential manager implementation that maybe return the right result. it looks like this: protocol=https
host=domain
path=pathOnTheServer/?authToken=jwtToken
username=user@domain
password=The cool thing is we only must add a query parameter to the URL. git will never trigger the credential manager. The problem here is that the ADOS (Azure DevOps Server) instant redirects the client to the WAP (Web Application Proxy). This is a problem because a redirect isn't a login error. So git ends with an error. So has anybody an idea how to force git to use the credential manager before doing any requests to the server? That would solve the problem and I can provide a PR for ADFS. |
|
Does anybody know if it is possible that the WAP return an HTTP Status 401 instead of 302? So the git client uses the credential manager. That should work for browsers and clients because the ADFS also sends a location header. |
|
You can force WAP to give 401 by setting it to use OAuth based credentials. Thou i've not figured out how to support both OAuth and normal gui. Trying to integrate gitea access behind pre-authenticated wap. |
|
hm maybe this helps. I will check this internal. Have you already something open source? so we maybe can develop together? |
|
not worked on any source no. just trying to figure out config. |
Which Version of GCM are you using ?
1.20.0
Which service are you trying to connect to
If you're using Azure DevOps, can you access the repository in the browser via the same URL?
If you're using Azure DevOps, and the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.
Expected behavior
In my company we use Azure DevOps Server for our projects. This is cool for all our internal workers. We now try to improve the work on our Server for external people that help us in projects. So we try to protect our Azure DevOps Server from the internet, via ADFS web application proxy. This is configured for forms based authentification.
I then realized that this configuration isn't supportet via the git credential manager, so I start to invest some time and try to find a solution. Then I realized that the git credential manager only can store credentials that are later used via basic auth, by the git client. (so is currently my understanding)
The problem is now that the ADFS is create a cookie for the user with a token in it. But this token must be send as cookie. Is it possible to send a cookie with the git credential manager foreach git command?
Actual behavior
The current behavior is that the user is redirected to the ADFS and git doesn't know what to do. The redirect can be catched by git credential manager. (I have an implementation for that on my local machine) But the problem is I don't know how to tell git to use the cookie I get after authentification.
Set the env variables GCM_TRACE=1 and GIT_TRACE=1 and run your git command. Redact any private information and attach the log
The text was updated successfully, but these errors were encountered: