Support GSSAPI/Kerberos authentication for SSO #717
Description
Is your feature request related to a problem? Please describe.
It would be nice to have SSO via GSSAPI/Kerberos so that user accounts and credentials can be managed externally. GSSAPI/Kerberos seems like a good fit in that regard as it is mostly used within CLI, compared to oauth/oidc which is mostly authenticated using the browser.
Describe the solution you'd like
- HTTP authenticates using SPNEGO
- Client connects to HTTP git server, using for example
http://:@git.example.org.:@will make regular git acquire Kerberos tickets. - Server sends a 401 with
WW-Authenticate: Negotiate - Client acquires a
HTTP/[email protected]service ticket and sends it as part of the next request, asAuthorization: Negotiate <negotiation data>. - Server validates the authentication data against it's stored keytab, which authenticates the user
[email protected]. - Server creates the user
<user>if not already present within the Soft Serve database, and yields a successful response.
- Client connects to HTTP git server, using for example
- HTTP authentication using Basic
- Client connects to HTTP git server like usual using Basic authentication
- Before checking against the credentials stored in the Soft Serve database, try to acquire a valid Kerberos ticket with the password and username.
- If the server manages to acquire a valid Kerberos ticket using the user credentials, the user is authenticated, and the ticket is discarded.
- Create a user if it doesn't already exist within the Soft Serve database.
- SSH works more or less the same as above. If logging in using a username/password combination, try acquiring a ticket using them, if the user has
GSSAPIAuthenticationenabled, they should authenticate using the service ticket they provide instead.
Describe alternatives you've considered
An alternative could be LDAP, but it doesn't fill quite the same niche as it isn't an SSO but could be used as a password authentication backend or used to store SSH keys.
Additional context