[WIP] Add support for private feeds

[loic-sharma]

Private Feeds

⚠️ This is still a work in progress

This adds support for private BaGet feeds using Azure Active Directory authentication. The experience is as follows:

1. The user runs dotnet restore for the first time on their private BaGet feed
2. The NuGet client shows the message:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCD123456 to authenticate.

3. After the user logs in using their browser, BaGet grants the user access to the private feed
4. The NuGet client continues the restore operation

Addresses https://github.com/loic-sharma/BaGet/issues/36

TODO

• [X] Backend
  • [X] Support Azure Active Directory authorization
  • [X] Accept the JWT token using HTTP Basic Auth
• [ ] BaGet frontend authentication
• [ ] NuGet client authentication plugin. See this branch
• [ ] Polish
  • [X] Disable the authentication if there are no AAD settings
  • [ ] Documentation

For a prototype of the client side code that will be used by the NuGet plugin, see: https://gist.github.com/loic-sharma/dca161747f13a62a6bcf8b1d04259445

/cc @nkolev92

[loic-sharma]

NuGet Client plug-in documentation: https://docs.microsoft.com/en-us/nuget/reference/extensibility/nuget-cross-platform-plugins

[chenzuo]

□ BaGet frontend authentication

hi , guys ! About what time to completed?? plase !

[pablopioli]

I'm trying BaGet and I like it. Support for private feeds is something I need. Can I help with something? Some parts that I complete? Glad to help in anything I can.

[chenzuo]

how can i get jwt token? and how in BaGet auth it? how can i setting the jwt ?is ther any about document ?

[chenzuo]

@loic-sharma the url : https://package.jiehai-tech.com/ This address is for everyone to use for testing. Everyone is welcome to use this address test. I will stare at the author's release every minute. As long as he updates, I will provide the latest test address.

[loic-sharma]

Thanks @chenzuo! One day I’ll setup an official demo endpoint with all of NuGet.org mirrored :)

@pablopioli Hey, thanks for offering. I’m actually planning on taking a step back and reevaluating my approach. Right now, this requires that you setup an Azure Active Directory which is burdensome. I’d like to investigate setting up my own OAuth token server that grant access if you know the API Key. I’ll work on this next week when I get back from the holidays. Cheers!

[pablopioli]

I have implemented Identity Server and can tell you is a lot simpler to setup Azure AD. However I see how this can bring more flexibility.

Maybe an option to disable the UI? In many cases the Nuget server is only accessed using the command line (build server and code editor tooling). Using the API key to list, upload and download will be sufficient.

[gjonespf]

Hey @loic-sharma I think Azure AD for this is ideal for my use case, but can appreciate it's perhaps burdonesome for others. Perhaps some configurable options to swap between Azure AD and e.g. a standard OpenAuth (So you could use Open ID server - https://identityserver.io/). Would definitely suggest this rather than trying to sort out an ID server youself. Definitely keen to see where this goes, sems perfect for what I'm after (currently using Docker image of Klondike, but it's not getting any further updates and has some warts).

[Marusyk]

What status of this feature?

[araqiel2552]

I would like to setup a private NuGet server for my company. But Private Feed is needed. What is the advancement? Can I help?

[Sasino97]

Hello I fell in love with BaGet and it does everything I needed However I need to keep my private packages secure otherwise anyone can download them and do malicious things. A simple feature that only allows the download if the client provides the API key, both in browser and in CLI, would be completely sufficient.

[oli-mo]

I want to help to complete that feature, because I need it too. Maybe you could summarize what to do and what tasks of the TODO is still open. You may want to create a github project for it?

BTW Thanks for that project, really appreciate it.

[chazt3n]

What is happening here? What do you need done?

[tomko80]

I would be happy with just ldaps support on-prem... for cloud hosting SaaS would anyway be the direction.

[Foxite]

It seems like this hasn't been finished yet simply because nobody has done so. I'll pay 25 euros to everyone who contributes to this PR, when it is merged. Can anyone tell me what the preferred way of creating bounties is in this project?

[wahmedswl]

Hi, why not have option for simple authentication like for Publish, there is Api Key. Can something like this be done for all calls to BaGet server?

Thanks

[pablopioli]

Hi, why not have option for simple authentication like for Publish, there is Api Key. Can something like this be done for all calls to BaGet server?

Thanks

As suggested in https://github.com/loic-sharma/BaGet/issues/515 you can use a reverse proxy to implement security

I would suggest https://microsoft.github.io/reverse-proxy/articles/authn-authz.html as a c# only solution

You can then plug any authentication you want

[wahmedswl]

why not something inbuilt rather outsource it? There is already ApiKey based auth for package publish so why not same for view, pull etc as well.

Thanks

[auaustria]

i really liked BaGet but also wanted private feed. I made an attempt to get something going "in a hackish way" if you like. So if someone is interested, I made some changes in my forked branch with Basic Authentication support. You can see my changes here: https://github.com/loic-sharma/BaGet/compare/main...auaustria:BaGet:feature/browser-basic-auth

Please use it with caution since it is only Basic Auth. You can rotate passwords and update the configuration. This maybe for someone that does not have very strict security requirements.