Git-Credential-Manager-for-Windows icon indicating copy to clipboard operation
Git-Credential-Manager-for-Windows copied to clipboard

Published 20 hours ago verified publisher icon microsoft

ADFS web application proxy support

Open paule96 opened this issue 5 years ago • 5 comments

Which Version of GCM are you using ? 1.20.0

Which service are you trying to connect to

  • [ ] Azure DevOps
  • [x] Azure DevOps Server (TFS/on-prem)
  • [ ] GitHub
  • [ ] GitHub Enterprise
  • [ ] Bitbucket
  • [ ] Other? - please describe;

If you're using Azure DevOps, can you access the repository in the browser via the same URL?

  • [x] Yes
  • [ ] No, I get a permission error.
  • [ ] No, for a different reason:

If you're using Azure DevOps, and the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.

  • [x] I only see one identity.
  • [ ] I checked each and none worked.

Expected behavior

In my company we use Azure DevOps Server for our projects. This is cool for all our internal workers. We now try to improve the work on our Server for external people that help us in projects. So we try to protect our Azure DevOps Server from the internet, via ADFS web application proxy. This is configured for forms based authentification. I then realized that this configuration isn't supportet via the git credential manager, so I start to invest some time and try to find a solution. Then I realized that the git credential manager only can store credentials that are later used via basic auth, by the git client. (so is currently my understanding)

The problem is now that the ADFS is create a cookie for the user with a token in it. But this token must be send as cookie. Is it possible to send a cookie with the git credential manager foreach git command?

Actual behavior

The current behavior is that the user is redirected to the ADFS and git doesn't know what to do. The redirect can be catched by git credential manager. (I have an implementation for that on my local machine) But the problem is I don't know how to tell git to use the cookie I get after authentification.

image

Set the env variables GCM_TRACE=1 and GIT_TRACE=1 and run your git command. Redact any private information and attach the log

19:00:36.957437 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
19:00:36.960435 git.c:439               trace: built-in: git clone https://server/collection/project/_git/reponame
Cloning into 'reponame'...
19:00:37.049989 run-command.c:662       trace: run_command: git remote-https origin https://server/collection/project/_git/reponame
19:00:37.074989 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
19:00:37.079988 git.c:703               trace: exec: git-remote-https origin https://server/collection/project/_git/reponame
19:00:37.079988 run-command.c:662       trace: run_command: git-remote-https origin https://server/collection/project/_git/reponame
19:00:37.103991 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
fatal: unable to access 'https://server/collection/project/_git/reponame': Received HTTP code 302 from proxy after CONNECT

paule96 avatar Jan 28 '20 18:01 paule96

So now I can provide some more detailed information after digging a little bit deeper into the authentification flow. The good news is we don't need cookies. 👍

And I have a working git credential manager implementation that maybe return the right result. it looks like this:

protocol=https
host=domain
path=pathOnTheServer/?authToken=jwtToken
username=user@domain
password=

The cool thing is we only must add a query parameter to the URL. Now to the hard part:

git will never trigger the credential manager.

The problem here is that the ADOS (Azure DevOps Server) instant redirects the client to the WAP (Web Application Proxy). This is a problem because a redirect isn't a login error. So git ends with an error. So has anybody an idea how to force git to use the credential manager before doing any requests to the server? That would solve the problem and I can provide a PR for ADFS.

paule96 avatar Jan 29 '20 16:01 paule96

Does anybody know if it is possible that the WAP return an HTTP Status 401 instead of 302? So the git client uses the credential manager. That should work for browsers and clients because the ADFS also sends a location header.

paule96 avatar Jan 30 '20 09:01 paule96

You can force WAP to give 401 by setting it to use OAuth based credentials. Thou i've not figured out how to support both OAuth and normal gui. Trying to integrate gitea access behind pre-authenticated wap.

elupus avatar May 04 '20 16:05 elupus

hm maybe this helps. I will check this internal.

Have you already something open source? so we maybe can develop together? This preauthentification is an interesting idea. 🤔

paule96 avatar May 04 '20 17:05 paule96

not worked on any source no. just trying to figure out config.

elupus avatar May 05 '20 07:05 elupus