Header authentication

The header authentication depends on an external system that authenticates the user. The username and roles are passed via request headers.

Warning: It is essential that the external authentication system is set up correctly because the mechanism described above does NOT perform authentication. All the authentication protection is assumed to be provided externally. If request header authentication is enabled in a scenario that is incorrectly configured, it is possible to assume the identity of a user (impersonation) by simply setting the correct header name.


Property Default value Description
TOKEN_​SERVER_​ADMIN_​HEADER_​AUTH_​ENABLED_​BOOLEAN false Flag to enable or disable the header authentication. By default it is disabled.
TOKEN_​SERVER_​ADMIN_​HEADER_​AUTH_​PRINCIPAL_​HEADER remote-user The name of the header where the admin username is retrieved from.
TOKEN_​SERVER_​ADMIN_​HEADER_​AUTH_​GROUPS_​HEADER remote-groups The name of the header where the group memberships of the admin user are retrieved from.
TOKEN_​SERVER_​ADMIN_​HEADER_​AUTH_​FAIL_​IF_​HEADER_​MISSING_​BOOLEAN false A flag indicating if the application should fail if a header with the username is missing. When this setting is enabled a missing (or empty) header value will result in authentication failure. If this setting is disabled, other authenticators can function as a fallback authentication mechanism.

The groups in the request header should be mapped to roles within the Token Server Admin console. This is done via the same properties as for LDAP Authentication.





GET https://admin.tokenserver.example.com
Content-Type: text/html