Passing custom auth headers from server?

[Jarno Elonen <ja...@gmail.com>]

Hi,

Is it possible to pass custom auth headers to Serf from server, and
have it pass them on for subsequent requests?
I.e. hand it a custom token / cookie after the initial authentication.

I'm building a Subversion HTTPS server with SSO over Kerberos (Samba4
ADC), and our Windows client (SlikSVN) crashes mid-checkout on some
repositories with mod_auth_kerb (auth_ntlm_winbind sort of works, but
it's suboptimal for various reasons).
I've written about the issue to SlickSVN developers, but since a fix
might take a while, I'd like to set up a workaround.

Since the first few Kerberos authenticated requests work, and the
client crashes only later in the process, I was contemplating making
the server pass a JWT token, a cookie or something like that, and
having the client use that for authentication from there on.

Is that sort of thing possible with Serf?

As an alternative, I was thinking about creating a temporary
repository URL with the credentials embedded in it URI, and
redirecting the client there for the rest of the session. But I guess
it's not possible to instruct SVN to use a different URL from the
server.

-Jarno

Re: Passing custom auth headers from server?

[Branko Čibej <br...@apache.org>]

On 06.10.2017 12:19, Jarno Elonen wrote:
>> Read the documentation for HTTP status code 302 or 307. Subversion
>> handles redirects.
> Sure, but for the embedded-token-in-url scheme to work, it would need
> to redirect not only the current URI but all the subsequent requests,
> too - for each individual file it downloads etc. That is, the server
> would have to make the client use a different *base* URL for all the
> requests after the first one, which I don't think is possible?

As far as Subversion is concerned (and note that this is the Serf dev
list, so slightly off topic), it will do the same as any browser does
for a (temporary) redirect: it'll change the URL for the current session
to whatever is in the returned Location header.

>> Of course, embedding authn tokens in the URL, where they're exposed
>> before the SSL handshake (and will typically end up in server logs, too)
>> is hardly secure.
> I thought the URI is only passed to the server after SSL connection is
> established - as in HTTP over SSL over IP.

It is, unless you have automatic redirect from HTTP to HTTPS ... or
someone uses the HTTP scheme by mistake. And it _will_ usually be logged
by the server. The logging part can be disabled, of course, but it's
extra legwork.

> Anyway, the URI scheme idea was more or less my desperate last
> option. :) I'd obviously prefer custom authentication headers (unless
> the Kerberos crash bug, where ever it is, is fixed first).

Understood.

-- Brane

Re: Passing custom auth headers from server?

[Jarno Elonen <el...@iki.fi>]

> Read the documentation for HTTP status code 302 or 307. Subversion
> handles redirects.

Sure, but for the embedded-token-in-url scheme to work, it would need
to redirect not only the current URI but all the subsequent requests,
too - for each individual file it downloads etc. That is, the server
would have to make the client use a different *base* URL for all the
requests after the first one, which I don't think is possible?

> Of course, embedding authn tokens in the URL, where they're exposed
> before the SSL handshake (and will typically end up in server logs, too)
> is hardly secure.

I thought the URI is only passed to the server after SSL connection is
established - as in HTTP over SSL over IP.

Anyway, the URI scheme idea was more or less my desperate last
option. :) I'd obviously prefer custom authentication headers (unless
the Kerberos crash bug, where ever it is, is fixed first).

-Jarno

Re: Passing custom auth headers from server?

[Branko Čibej <br...@apache.org>]

On 06.10.2017 11:23, Jarno Elonen wrote:
> Hi,
>
> Is it possible to pass custom auth headers to Serf from server, and
> have it pass them on for subsequent requests?
> I.e. hand it a custom token / cookie after the initial authentication.

You have complete control over the request and response with Serf. But
you're talking about creating a custom _client_ for your custom server;
are you sure you want to go there?

> I'm building a Subversion HTTPS server with SSO over Kerberos (Samba4
> ADC), and our Windows client (SlikSVN) crashes mid-checkout on some
> repositories with mod_auth_kerb (auth_ntlm_winbind sort of works, but
> it's suboptimal for various reasons).
> I've written about the issue to SlickSVN developers, but since a fix
> might take a while, I'd like to set up a workaround.
>
> Since the first few Kerberos authenticated requests work, and the
> client crashes only later in the process, I was contemplating making
> the server pass a JWT token, a cookie or something like that, and
> having the client use that for authentication from there on.
>
> Is that sort of thing possible with Serf?
>
> As an alternative, I was thinking about creating a temporary
> repository URL with the credentials embedded in it URI, and
> redirecting the client there for the rest of the session. But I guess
> it's not possible to instruct SVN to use a different URL from the
> server.

Read the documentation for HTTP status code 302 or 307. Subversion
handles redirects.

Of course, embedding authn tokens in the URL, where they're exposed
before the SSL handshake (and will typically end up in server logs, too)
is hardly secure.

-- Brane