Support google application default credentials

[MFAshby]

• What problem are you trying to solve?

I'm trying to use nexus as a cache/proxy in front of a private google artifact registry. In order to pull from artifact registry, the application needs to supply some credentials for a google account with appropriate permissions.

• Do you have a workaround you are using at present?

Presently nexus only supports http basic auth. The nexus blog recommends using a service account key.

• What feature or behavior is this required for?

Google themselves recommend using workload identity federation instead of service account keys, to avoid the risk of leaked credentials. If nexus is running in some supported environment, or indeed on a developer machine where gcloud auth application-default login has been run, then no service account key is required to access the upstream artifact registry.

In our case specifically, I want developers to run a local nexus to cache images from google artifact registry, and also so they can write to their local nexus (but not to the google artifact registry).

• How could we solve this issue? (Not knowing is okay!)

Add an extra authentication mechanism alongside 'username' and 'ntlm': 'google ADC' for authenticating with upstream repositories using application default credentials. Use the google auth library to obtain credentials from the environment instead of taking them from user supplied configuration.

• Tell us about your Nexus Repository deployment: what version, operating system, and database are you using?

nexus-3.69.0-02, Ubuntu 22.0.4 LTS, local file system.

• Anything else?

:penguin:

[MFAshby]

Here is the existing list of authentication mechanisms for proxy repositories.