Header authentication¶
The header authentication depends on an external system that authenticates the user. The username and roles are passed via request headers.
Warning: It is essential that the external authentication system is set up correctly because the mechanism described above does NOT perform authentication. All the authentication protection is assumed to be provided externally. If request header authentication is enabled in a scenario that is incorrectly configured, it is possible to assume the identity of a user (impersonation) by simply setting the correct header name.
Configuration¶
| Property | Default value | Description |
|---|---|---|
| TOKEN_SERVER_ADMIN_HEADER_AUTH_ENABLED_BOOLEAN | false | Flag to enable or disable the header authentication. By default it is disabled. |
| TOKEN_SERVER_ADMIN_HEADER_AUTH_PRINCIPAL_HEADER | remote-user | The name of the header where the admin username is retrieved from. |
| TOKEN_SERVER_ADMIN_HEADER_AUTH_GROUPS_HEADER | remote-groups | The name of the header where the group memberships of the admin user are retrieved from. |
| TOKEN_SERVER_ADMIN_HEADER_AUTH_FAIL_IF_HEADER_MISSING_BOOLEAN | false | A flag indicating if the application should fail if a header with the username is missing. When this setting is enabled a missing (or empty) header value will result in authentication failure. If this setting is disabled, other authenticators can function as a fallback authentication mechanism. |
The groups in the request header should be mapped to roles within the Token Server Admin console. This is done via the same properties as for LDAP Authentication.
Example¶
Configuration¶
TOKEN_SERVER_ADMIN_HEADER_AUTH_ENABLED_BOOLEAN=true
TOKEN_SERVER_ADMIN_HEADER_AUTH_PRINCIPAL_HEADER=Username
TOKEN_SERVER_ADMIN_HEADER_AUTH_GROUPS_HEADER=Group
TOKEN_SERVER_ADMIN_HEADER_AUTH_FAIL_IF_HEADER_MISSING_BOOLEAN=true
Request¶
GET https://admin.tokenserver.example.com
Content-Type: text/html
remote-user=admin
remote-groups=admin