How does the Nexus Repository Manager integrate the OAuth2 protocol to log in?

sam · September 10, 2019, 6:12pm

Hi!
How does the Nexus Repository Manager integrate the OAuth2 protocol to log in?
Do I need to develop my own plugins?
What do I need to do if I need to develop a plugin?

rseddon · September 10, 2019, 6:32pm

There is no support for OAuth2 in Nexus Repo 3 at the moment.

However Nexus 3 does support remote user token authentication, so as a workaround you could use a reverse proxy in front of Nexus that does the authentication vi Oauth or similar, and have it send the authenticated user ID’s into Nexus via this feature:

https://help.sonatype.com/display/NXRM3/Authentication+via+Remote+User+Token

sam · September 11, 2019, 3:24am

Thanks for your reply !
Nexus seems to have csrf-token and jsessionid. I want to turn off the nexus csrf filter to access the login API by username and password. What should I do?

rseddon · September 11, 2019, 6:30pm

If you’re using remote user token authentication there won’t be a login in Nexus, the login is done by the server running in front of Nexus, and it sends the authenticated user ID in as an HTTP header.

Rich

Larkoie · December 4, 2019, 9:37am

@rseddon : I’ve implemented RUT authentication with apache as the reverse proxy. It works perfectly when authenticating manually on the Web UI.
However it does not work when uploading / downloading artifacts from maven during a build:
As the SSO authentication is handled by the Apache reverse proxy and not “inside” Nexus, maven get a 302 redirect when sending a GET/PUT request, resulting in a build fail. If the SSO (OIDC or SAML) was handled by Nexus, it would be “transparent” for Maven and everything would work fine.

Did you already had such feedback on this RUT feature? Is there a plan to integrate SSO (OIDC or SAML) for Nexus3? It’s a rather common feature to have in 2019 for a largely used application like Nexus, i’m surprised that it’s not in your scope yet

thanks.

rseddon · December 4, 2019, 4:01pm

I don’t understand this:

If the SSO (OIDC or SAML) was handled by Nexus, it would be “transparent” for Maven and everything would work fine.

And how would Maven be authenticating? AFAIK Maven, like most build tools, will only use http basic authentication across an http connection. A way to improve the security of that, if you are interested, is user tokens:

https://help.sonatype.com/display/NXRM3/Security+Setup+with+User+Tokens

But those are part of the paid version of Nexus.

Rich

Larkoie · December 5, 2019, 9:08am

Hi Rich,

My previous post was not clear. I was thinking that if Nexus handles the SSO with a plugin or a built-in feature, it would be possible to easily protect the web-ui admin pages with SSO while the repository URL are protected by another method. This way, it would work with standard auth for Maven, and SSO auth for web-UI administration.
With the RUT method, you have to tell the reverse proxy what are you protecting but you can’t put exclusion. So if you protect “/” you can’t add an exclusion for “/repository/*” for example.