I’ve got a use case that I haven’t run across before. I’d like to secure git (via https) using keycloak.
A few additional requirements:
- The keycloak setup is one where there may be external IdPs, so
client_credentialsgrant types won’t work.
- Running a local webserver that listens for the callback is considered a “security hole” by the customer, since it would either need to run on http, or with a self-signed cert.
- We can install git “credential helpers”.
- We have full control over the proxy in front of git (nginx), and can modify its configuration and modules.
My initial thought was the following:
- Write a git “credential helper” that outputs a login link to be opened in the browser
- Have the login use a client with a custom login flow
- Write a custom authenticator that stores a “code” (e.g. 6 digits or something simple) as a new credential type, and outputs the code at the end of a successful login
- Use the git credential helper to ask for the code
- Write the nginx configuration using the
auth_requestmodule to perform an auth subrequest that passes the code to keycloak, which returns a 2xx, and deletes the credential if it matches (to enforce one-time use)
My questions are:
- Has anyone encountered a use case like this?
- Can anyone review my proposal and see if there are holes/improvements?
Thanks and best regards!