GNOME Bugzilla – Bug 762097
owncloud: Support GSSAPI for authentication
Last modified: 2021-07-05 10:58:57 UTC
Currently we only support HTTP basic authentication for ownCloud. It is time we added GSSAPI to the list.
Created attachment 321279 [details] [review] httpclient: Don't hard-code "Connection: close" in the request headers
Created attachment 321280 [details] [review] httpclient: Enable Negotiate authentication scheme
These patches are work-in-progress and require GSSAPI support in libsoup (bug 587145). We need to tweak the UI to not ask for a password when not needed, and somehow advertise this over D-Bus for applications to know which authentication method to use.
Comment on attachment 321279 [details] [review] httpclient: Don't hard-code "Connection: close" in the request headers Looks good to me. Reading HTTP/1.1 spec, "Connection: close" should be set only on connections that are not going to be persistent. Obviously, our GSSAPI negotiation is not like that due to multi-phase processing of the negotiate sequence over the same connection. I don't think there would be too much damage for other use cases by removing of Connection:close header these days, so it is probably fine to remove it unconditionally.
Review of attachment 321280 [details] [review]: Looks good to me, thanks! For the context, Debarshi did test these changes against my FreeIPA deployment with Owncloud configured against Ipsilon with GSSAPI.
Comment on attachment 321279 [details] [review] httpclient: Don't hard-code "Connection: close" in the request headers Pushed to master.
Created attachment 321743 [details] [review] httpclient: Enable Negotiate when there is no password
Created attachment 321744 [details] [review] httpclient: Add API to detect supported authentication mechanisms
Created attachment 321745 [details] [review] owncloud: Rename an internal variable
Created attachment 321746 [details] [review] owncloud: Remove needless g_cancellable_reset calls
Created attachment 321747 [details] [review] owncloud: Consolidate the different ways in which we run the dialog
Created attachment 321748 [details] [review] owncloud: Support GSSAPI/Negotiate authentication
This is now in a demo-able state. However, there are some rough edges: I don't know how to get the identity that libsoup used to authenticate to the server. That means I can't create the username@server string to show in the UI. Invalid certificates need more thought. Currently, the authentication mechanism detection will fail with invalid certificates. That means it will enable the username / password entries and the connect button. I am thinking of retrying the message with a relaxed certificate check and without NEGOTIATE support (so that we don't send anything over the network) to check if the server supports BASIC. If it does, then we can retain our current behaviour of not allowing the connect button without a password. If it doesn't (ie. it is a server with NEGOTIATE and an invalid certificate), then we disable the username / password and enable the connect button. I haven't touched the "refresh" code path, which is used when an account's credentials need to be updated, but it shouldn't be too hard once we figure out the above issues. Note that these patches don't hide the username / password entries. Instead they disable them by setting sensitive=FALSE.
Created attachment 321750 [details] [review] httpclient: Add API to detect supported authentication mechanisms
These patches also live in the gnome-online-accounts:wip/rishi/owncloud-gssapi branch.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/ Thank you for your understanding and your help.