Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

X-Forwarded-User should be configurable independent of -pass-basic-auth option #205

Closed
omazhary opened this issue Feb 8, 2016 · 8 comments · Fixed by #339
Closed

X-Forwarded-User should be configurable independent of -pass-basic-auth option #205

omazhary opened this issue Feb 8, 2016 · 8 comments · Fixed by #339

Comments

@omazhary
Copy link

omazhary commented Feb 8, 2016

We are using oauth2_proxy in front of grafana with its "auth.proxy" configuration option. This relies on X-Forwarded-User header to be sent.
However if we use option -pass-basic-auth, we not only get X-Forwarded-User but also Authorization: Basic with the base64-encoded username and an empty password. This will fail the login to grafana.

Instead, we want to be able to only send X-Forwarded-User (and X-Forwarded-Email) independent of BASIC auth.
Will provide a patch soon.
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 9, 2016
Allow to pass user headers only (issue bitly#205)
7a751f0 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 22, 2016
Allow to pass user headers only (issue bitly#205)
4eaab78 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 29, 2016
Allow to pass user headers only (issue bitly#205)
ca3a92b 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
@jakedt jakedt mentioned this issue Feb 29, 2016
Closed
colhom pushed a commit to coreos/oauth2_proxy that referenced this issue Feb 29, 2016
@colhom
Allow to pass user headers only (issue bitly#205)
82d7f0d 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
@johnrengelman
Copy link

+1 Just smashed into this exact issue as well. Changes LGMT.

@johnrengelman
Copy link

Was just trying this patch out, but there still doesn't seem to be a way to log in to Grafana with Basic Auth once this proxy is in front of it (maybe that makes sense), but I'm trying to get at the built in admin account, but I always get redirected back to my oauth login.

@omazhary
Copy link
Author

omazhary commented Mar 8, 2016

Hi John, our scenario only relied on OAuth authentication, that's why we chose this proxy. It performs the authentication with grafana in the background and then logs you in directly to the dashboards. Making the regular grafana login page accessible would make the login process a little confusing.

Regarding the built-in admin account, you should be able to login using the UAA admin, as long as it is the exact same as the one in grafana. That is a bug, but has nothing to do with the proxy. This is basically because grafana calls its default administrator "admin", as well as the UAA. And, since grafana only matches the usernames, you can use any "admin" user to login to the grafana super-user. Ideally, this user should be changed in grafana, by being assigned a different username, either as a default, or by whoever is responsible for installing the system. Then, the new user would have to be created in cloud foundry's UAA as well.

@johnrengelman
Copy link

Got it.

Definitely a bit annoying. Not really an issue with this tool, but was unexpected. Would be nice if Grafana had a property to promote specific accounts to admin on creation. Anyway, I worked around it, but bypassing the proxy, then logging in with the admin account and promoting my OAuth account to be an admin.

Thanks for the pointers.

@omazhary
Copy link
Author

omazhary commented Mar 8, 2016

No problem ;)

@grahamrhay
Copy link

I have the same problem in front of Jenkins, the basic auth header causes the reverse proxy plugin to error, but I need the X headers. It would be great if this was merged.

@zlatkoc
Copy link

zlatkoc commented May 1, 2016

Same issue with Jenkins as @grahamrhay reported.

Please merge this. Thanks!

cldmnky pushed a commit to ExpressenAB/oauth2_proxy that referenced this issue Jun 1, 2016
Allow to pass user headers only (issue bitly#205)
9e08020 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy

Signed-off-by: Magnus Bengtsson <magnus.bengtsson@expressen.se>
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Jul 5, 2016
Allow to pass user headers only (issue bitly#205)
fcc14fd 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
tekmaven pushed a commit to tekmaven/oauth2_proxy that referenced this issue Jul 13, 2016
Allow to pass user headers only (issue bitly#205)
3eb383a 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy

Conflicts:
	oauthproxy.go
	options.go
@jsievers jsievers mentioned this issue Jul 19, 2016
Open
cgag pushed a commit to coreos/oauth2_proxy that referenced this issue Aug 26, 2016
@cgag
Allow to pass user headers only (issue bitly#205)
b55e1ec 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
tamsky pushed a commit to bottlenose-inc/oauth2_proxy that referenced this issue Nov 14, 2016
Allow to pass user headers only (issue bitly#205)
6716dd0 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
jsievers pushed a commit to omazhary/oauth2_proxy that referenced this issue Jan 24, 2017
@jsievers
Allow to pass user headers only (issue bitly#205)
24f91a0 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
@jsievers jsievers mentioned this issue Jan 24, 2017
Merged
chen-anders pushed a commit to wistia/oauth2_proxy that referenced this issue Jan 30, 2017
@chen-anders
Allow to pass user headers only (issue bitly#205)
80ffaae 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
@FrederikNJS
Copy link

@jehiah would it be possible to get this merged?

madmod pushed a commit to daffinity/oauth2_proxy that referenced this issue Dec 1, 2017
@madmod
Allow to pass user headers only (issue bitly#205)
290263c 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
ryodocx pushed a commit to ryodocx/oauth2_proxy that referenced this issue Mar 18, 2019
@jsievers
Allow to pass user headers only (issue bitly#205)
03490b5 
* This fixes bitly#205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
@satterly satterly mentioned this issue Oct 11, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow to pass user headers only omazhary/oauth2_proxy
5 participants
@grahamrhay @FrederikNJS @zlatkoc @johnrengelman @omazhary