Open ZawadaZSE opened 4 years ago
Does this setup require double authentication, i.e. do you need to authenticate against the Azure proxy and after that against Gerrit?
Yes first I need to log in with my MS account (with 2FA) just to access gerrit, then I need to log in into gerrit. Based on parts of documentation that I read and behavior that I see, it uses cookies for access control.
@ZawadaZSE did you need any additional setup for your git cli?
Hey, unfortunately we don't have git access over internet -> only gerrit UI.
@ZawadaZSE, do you have more details about your scenario, e.g. when you browse to gerrit UI, can you inspect browser request to find out this cookie's name/value?
If you could retrieve data from your gerrit instance using a tool like e.g. curl -u 'user:pass' ... -b 'cookieName=value' ... -H 'someHeaders'
, it would be more clear how to solve your issue.
Yeah, so it works like this. When I'm not connected to our corporate VPN I can access gerrit via Azure Application Proxy, curling the endpoint without cookies results with 302 Redirect to Microsoft SSO: https://login.microsoftonline.com/[...]/oauth2/authorize?response_type=code&client_id=[client_Id]&scope=openid&[some_other_params] After login (with 2FA) I end up with cookie "AzureAppProxyAccessCookie_[client_Id]_1.3" When I add this cookie to curl I get access to gerrit rest api.
Hey,
our Gerrit instance is exposed via Azure Application Proxy when accessed over internet.
Plugin can't connect to instance with following error as it get's Microsoft login page:
Would it be possible to add support for some intermediate authentication methods? I guess that some popup window with cookie store should be enough.
What's your take on that?
Br, Kuba