Few months ago GitHub implemented Smart HTTP support for GIT. This is fascinating, because the previous version of the http based transport was very slow compared to SSH.
What I like the most about using HTTP, is that you can extend it. In particular, you can use your own authentication scheme. For example, you could use any OAuth based login (like Google, Facebook or Amazon for example) to clone repos!
So we prototyped with Smart HTTP using Grack and integrated that with Auth0.
And this shows how it works:
This article explains how to run a Git server supporting any authentication provider: social, custom or perhaps more interesting enterprise systems like Active Directory, Google Apps, Office365, Salesforce, etc.
The nice thing about using this is that you can grant access to Git repositories using Google Apps groups or Office365 Groups. When someone leaves the company you delete the user from the directory and that's it. No need to manage SSH keys.
Grack + Auth0 = GitZero
1- Signup to Auth0
2- Register an application
3- Download and prepare GitZero
$ git clone https://github.com/auth0/gitzero.git $ cd gitzero $ bundle install
4- Configure GitZero
.env file inside the
gitzero directory with the following format:
AUTH0_NAMESPACE=YOUR-ACCOUNT.auth0.com AUTH0_CLIENT_ID=YOUR-CLIENT-ID AUTH0_CLIENT_SECRET=YOUR-CLIENT-SECRET
6- Run GitZero
bundle exec unicorn --port 9292
You can use any rack server, but I've noticed that unicorn works better in this case than thin.
5- Register the Callback URL in Auth0
Go to the Settings of the application you created and enter the URL where GitZero is running.
6- Test it
If you try to clone this repository you will be prompted for your credentials and you will get an access denied error:
$ git clone http://localhost:9292 my-repo Cloning into 'my-repo'... Username for 'http://localhost:9292': Password for 'http://localhost:9292': fatal: unable to access 'http://localhost:9292/': The requested URL returned error: 403
You can open a browser and point it to http://localhost:9292. After login you will get instructions on how to clone the repo
GitZero will check the JSON Web Token and validates it using the secret that was set in step 4.
Note: this approach works regardless of how the JSON Web Token was issued. Here we are showing Auth0 as the issuer of the token.
Note 2: The token will be saved. i.e. you don't have to do this for every git push.
Note 3: If you only need support for: Active Directory / LDAP connections, or plain User/Password Databases. take a look at GitZero2RO which will work with a regular user/password (not through the browser)
Happy Token Auth!