Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPNEGO authentication support #8982

Open
evgenyrahman opened this issue Apr 19, 2024 · 3 comments
Open

SPNEGO authentication support #8982

evgenyrahman opened this issue Apr 19, 2024 · 3 comments
Labels
core This issue is not accepting PRs from outside contributors discuss Feature changes that require discussion primarily among the GitHub CLI team enhancement a request to improve CLI gh-auth relating to the gh auth command needs-triage needs to be reviewed

Comments

@evgenyrahman
Copy link

Describe the feature or problem you’d like to solve

Some GitHub CLI users rely on the use of an authenticated proxy which has the necessary proxy rules allowing access to github.com. This authenticated proxy may use NTLM or Kerberos, which use SPNEGO authentication.

When a user is behind a proxy such as this, the gh CLI in its current form fails even if the login via the browser was successful:

> gh auth status
You are not logged into any GitHub hosts. Run gh auth login to authenticate.

> gh auth login
? What account do you want to log into? GitHub.com
? What is your preferred protocol for Git operations? HTTPS
? Authenticate Git with your GitHub credentials? Yes
? How would you like to authenticate GitHub CLI? Login with a web browser

Press Enter to open github.com in your browser...
failed to authenticate via web browser: HTTP 403

This is because most URLs for github.com are blocked by the proxy unless the user authenticates with the proxy via SPNEGO

The curl equivalent is 

```bash
curl -x http://proxy.example.com:PORT/ --proxy-negotiate -U

Proposed solution

How will it benefit CLI and its users?

Adding this support will unblock CLI use for GitHub users who are behind a proxy that uses SPNEGO-based authentication
@evgenyrahman evgenyrahman added the enhancement a request to improve CLI label Apr 19, 2024
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label Apr 19, 2024
@evgenyrahman
Copy link
Author

This may help with adding SPNEGO support https://github.com/jcmturner/gokrb5

@andyfeller
Copy link
Contributor

Thanks for opening up this suggestion, @evgenyrahman! ❤ There's more about this need and how the intended audience needing it that'd be helpful to understand:

  1. How is git authenticating with SPNEGO?
  2. What other CLI applications are being used that support SPNEGO natively?
  3. Have you looked at tools like spnego-proxy which use gokrb5 as a standalone solution for any CLI application?

@andyfeller andyfeller added gh-auth relating to the gh auth command core This issue is not accepting PRs from outside contributors discuss Feature changes that require discussion primarily among the GitHub CLI team labels May 16, 2024
@evgenyrahman
Copy link
Author

Thanks @andyfeller I'll try to find out more and report back

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core This issue is not accepting PRs from outside contributors discuss Feature changes that require discussion primarily among the GitHub CLI team enhancement a request to improve CLI gh-auth relating to the gh auth command needs-triage needs to be reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@evgenyrahman @andyfeller @cliAutomation