OAuth2 support was only implemented for the web UI so far
but not for Git-over-HTTP communication. This patch adds
a mechanism similiar to that supported by Github,
where Git clients may send OAuth2 access tokens instead
of passwords in a Basic authentication header [1].
Received access tokens will be verified by means of an
OAuthLoginProvider, which is a new extension point.
The OAuth2 protocol does not specify a mechanism for how to
verify access tokens, so there is no default implementation
for the OAuthLoginProvider interface, but a plugin must
provide a suitable implementation.
In order to enable OAuth2 authentication for Git-over-HTTP
the configuration option auth.type must be set to OAUTH
and auth.gitBasicAuth must be set to true. The parameter
auth.gitOAuthProvider defines the default OAuthLoginProvider
to use in case multiple OAuthLoginProvider implementations
are installed and it cannot be deduced from the request,
which OAuth provider to address.
An OAuthLoginProvider implementation may also support
HTTP Basic authentication with passwords instead of access
tokens, if the OAuth2 backend supports the Resource Owner
Password Credentials Grant authentication flow [2] or some
other API for verifying password credentials. For that reason
the second parameter of the OAuthLoginProvider interface is
called "secret" instead of "accessToken".
An example implementation for the OAuthLoginProvider
extension point will be contributed to the cfoauth plugin.
[1] https://developer.github.com/v3/auth/#basic-authentication
[2] https://tools.ietf.org/html/rfc6749#section-4.3
Change-Id: I0f00599dce38a806fd3e21758ea9e2cab49ce57f
Signed-off-by: Michael Ochmann <michael.ochmann@sap.com>
e9e046a4b3