Closed ibauersachs closed 1 year ago
قهنقنق
Closing, as Bitbucket DC now supports OAuth and you can forcibly specify use of OAuth for a particular remote. See this comment for more details.
@ldennington The issue you linked is for Bitbucket Cloud, while my issue here is about Bitbucket Server (or DC).
Also:
Please reopen this issue.
Please reopen this issue.
I'm guessing this won't be reopened.
We're also using Bitbucket Data Center with OpenID Connect. We authenticate using PIV/CAC not username/password.
@tdillon - thanks for elevating the above request. Apologies we didn't do this sooner.
@mminns - given that @mjcheetham and I don't have a DC instance, would you be willing to confirm that GCM hangs in auto-detection on your instance and, if so, help us validate the fix once it's in place?
Morning, yes I can have a look.
There's no need for a regular Bitbucket DC installation, Atlassian's SDK with the atlas-run-standalone --product bitbucket
command can start instances for such purposes. See here: https://developer.atlassian.com/server/framework/atlassian-sdk/atlas-run-standalone/
@ibauersachs is correct about using atlas-run-standalone
I am interested by this issue because I successfully use Oauth with our in-house Bitbucket DC instances daily.
Bitbucket DC does support OAuth 2.0.
It is correct that an Admin must set up the server and generate the consumer key and secret but once done. Local installs of GCM can be configured with the key and secret and then use the 3LO flow to authenticate individual users.
@ibauersachs I followed the instructions on Bitbucket Authentication, 2FA and OAuth and came up with the following .gitconfig
.
[credential "https://my.bitbucket.server.gov/bitbucket"]
provider = bitbucket
bitbucketDataCenterOAuthClientId = 11111111111111111111111111111111
bitbucketDataCenterOAuthClientSecret = 2222222222222222222222222222222222222222222222222222222222222222
usehttppath = true
With this .gitconfig
git is able to start the oauth authentication flow. I'm able to authenticate with my IDP and I get redirected to Bitbucket's "oauth consent" page. On that page there are Allow and Deny buttons.
Unfortunately for me, when I click Allow I am just redirected back to the same page. I have a support ticket with Atlassian to help track down the issue. I'm curious if you'd have better luck with a similar setup. I am also curious if having the client id and secret in plain text on each developer's machine is an issue, but for now I'm just trying to get it working.
That matches my config which is working.
❯ git config --global -l
...
credential.https://my-bitbucket-server.atlassian.com.provider=bitbucket
credential.https://my-bitbucket-server.atlassian.com.bitbucketdatacenteroauthclientid=11111111111111111111111111111111111111
credential.https://my-bitbucket-server.atlassian.com.bitbucketdatacenteroauthclientsecret=2222222222222222222222222222222222222222222222222222222222222
...
The redirect after Allow sounds like something happening in your server/network side rather than from GCM.
Have you tried using the env var GCM_TRACE = 1 to see the flow of requests from GCM to see if there is communication after the Allow ?
Re: The client ID and secret being in plaintext.
To be fair it is something I have wondered about from time to time.
In principal it would be possible to obscure them on disk, or perhaps store them somewhere like the Vault, but at somepoint they need to be distributed to users and it seems to me that either has to be in plaintext, to be encoded locally, or in encoded form, but then the client application needs to be able to decode them for use. As an open source dotnet application it would be easy for someone to reverse engineer that decoding process if they have access to the encoded values.
So I'm not sure you actually gain much ... but I'm not a security expert.
Ultimately you are relying on the security of the client workstation, AFAICS
Have you tried using the env var GCM_TRACE = 1 to see the flow of requests from GCM to see if there is communication after the Allow ?
I have. The git client does not receive any communication after clicking Allow. I agree the issue is with our server or network.
Ultimately you are relying on the security of the client workstation, AFAICS
I'll have to ask Atlassian support for their take and the risks with this setup.
@ibauersachs - are you able to test out the config highlighted by @tdillon and @mminns to see if it works for you?
Sorry, I've been rather busy. I can try the config, but configuring anything manually is beside the point of this issue: we have basic auth enabled (along with SSO) and a git clone https://bitbucket.example.org/scm/project/repo.git
makes GCM hang (as long as there is no additional config) and without any user feedback whatsoever. This should not happen.
From your logs, it seems like we are either hanging following a redirect to an ADFS instance or are stuck in a redirect loop. We cannot tell this for sure from the logs. However, we could consider disabling redirects during host provider discovery HEAD
requests as a possible mitigation. This could prevent us from correctly discovering hosts, though. Do you know if a redirect loop is happening from the logs on your side? Sadly, the .NET HttpClient
doesn't provide insight into redirects; all we can do is disable or set an arbitrary limit.
Sorry for the late reply. I finally found some time to investigate again and wanted to compile if necessary. Things seem to have changed in the meantime. With Git 2.41.0.windows.1 and gcm 2.1.2 the hang doesn't happen anymore. The output without any specific host configuration and without saved credentials is now
git clone https://git.example.com/scm/~ibauersachs/gcm-test.git
Cloning into 'gcm-test'...
fatal: Bitbucket DC OAuth Client ID must be defined
Username for 'https://git.example.com': ibauersachs
Password for 'https://ibauersachs@git.example.com':
When entering the correct credentials, the password is saved and .gitconfig is changed to
[credential "https://git.example.com"]
provider = bitbucket
So I guess this can actually be closed.
@ibauersachs - thanks for the followup. Going to go ahead and close accordingly.
Which version of GCM Core are you using?
2.0.394-beta+3fc6791abf (via Git 2.31.1.windows.1)
(note that 2.0.318-beta+44acfafa98 from a co-worker's Git 2.30.1.windows.1 still works)
Which Git host provider are you trying to connect to?
Bitbucket Datacenter (on-prem) with OIDC SSO enabled. Thus the dashboard redirects to our ADFS server. Git authentication should happen with HTTP Basic or a PAT. There is AFAIK no OIDC authentication on the Bitbucket Datacenter REST API and Git endpoints.
Can you access the remote repository directly in the browser using the remote URL?
[Azure DevOps only] What format is your remote URL?
[Azure DevOps only] If the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.
Expected behavior
I am authenticated and my Git operation completes successfully.
Actual behavior
gcm hangs while trying to auto-detect the server product.
Logs
Looking on the server, the following URLs are
HEAD
-ed:Manually getting these URLs gives back:
->
->
I don't know if gcm also follows the redirects to ADFS and what happens there, but this is already a long list of redirects that won't lead to any result.
Workaround (both settings are required):