Hi!
How does the Nexus Repository Manager integrate the OAuth2 protocol to log in?
Do I need to develop my own plugins?
What do I need to do if I need to develop a plugin?
There is no support for OAuth2 in Nexus Repo 3 at the moment.
However Nexus 3 does support remote user token authentication, so as a workaround you could use a reverse proxy in front of Nexus that does the authentication vi Oauth or similar, and have it send the authenticated user ID’s into Nexus via this feature:
https://help.sonatype.com/display/NXRM3/Authentication+via+Remote+User+Token
Thanks for your reply !
Nexus seems to have csrf-token and jsessionid. I want to turn off the nexus csrf filter to access the login API by username and password. What should I do?
If you’re using remote user token authentication there won’t be a login in Nexus, the login is done by the server running in front of Nexus, and it sends the authenticated user ID in as an HTTP header.
Rich
@rseddon : I’ve implemented RUT authentication with apache as the reverse proxy. It works perfectly when authenticating manually on the Web UI.
However it does not work when uploading / downloading artifacts from maven during a build:
As the SSO authentication is handled by the Apache reverse proxy and not “inside” Nexus, maven get a 302 redirect when sending a GET/PUT request, resulting in a build fail. If the SSO (OIDC or SAML) was handled by Nexus, it would be “transparent” for Maven and everything would work fine.
Did you already had such feedback on this RUT feature? Is there a plan to integrate SSO (OIDC or SAML) for Nexus3? It’s a rather common feature to have in 2019 for a largely used application like Nexus, i’m surprised that it’s not in your scope yet
thanks.
I don’t understand this:
If the SSO (OIDC or SAML) was handled by Nexus, it would be “transparent” for Maven and everything would work fine.
And how would Maven be authenticating? AFAIK Maven, like most build tools, will only use http basic authentication across an http connection. A way to improve the security of that, if you are interested, is user tokens:
https://help.sonatype.com/display/NXRM3/Security+Setup+with+User+Tokens
But those are part of the paid version of Nexus.
Rich
Hi Rich,
My previous post was not clear. I was thinking that if Nexus handles the SSO with a plugin or a built-in feature, it would be possible to easily protect the web-ui admin pages with SSO while the repository URL are protected by another method. This way, it would work with standard auth for Maven, and SSO auth for web-UI administration.
With the RUT method, you have to tell the reverse proxy what are you protecting but you can’t put exclusion. So if you protect “/” you can’t add an exclusion for “/repository/*” for example.
Since this is where you end up when searching for “nexus oidc” or “nexus openid connect”, I’d like to drop a breadcrumb here.
The situation has not changed much. There is no native support by Nexus. There are several community-driven plugins with different approaches. I wasn’t satisfied with any of them so I implemented one more.
I will refrain from advertising my own and just wanted to let searching people know that it is certainly possible with one of the plugins from github. There is at least one that I know which fully integrates OIDC straight into Nexus. Others put additional services in front/around it. There are benefits to either approach. What it comes down to is that you need an API token mechanism for programmatic (maven, gradle, …) access and for the interactive access with the browser you’ll be just fine because that is the easy part.