-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH_REMOTE_USER reads REMOTE_USER variable instead of HTTP_REMOTE_USER #1764
Comments
This is intended to be used with IIS on an internal network by setting windows authentication enabled and anonymous disabled. |
Hi, The documentation mentions Apache and Nginx but I've not seen any reference to IIS in /docs/security.rst. But I don't think the webserver acting as reverse proxy is responsible for the issue at hand. If you tcpdump the traffic between the reverse proxy and the Flask webserver you can see the header is indeed That's why I believe FAB should either read What do you think ? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Feel free to reopen it if it's still relevant to you. Thank you |
Hi, |
I am attempting to run an authenticating reverse proxy in front of a FAB app, and I am faced with this exact issue. Passing As suggested by @sc-anssi, a very simple change would enable authentication to be offloaded. We could check Could this issue please be re-open @dpgaspar? |
Environment
Flask-Appbuilder version: 3.4.1
pip freeze output:
Describe the expected results
When using FAB with
AUTH_TYPE = AUTH_REMOTE_USER
behind a reverse proxy which sets the request headerREMOTE_USER
, FAB should authenticate that user when trying to loginDescribe the actual results
Authentication fails with message
Invalid login. Please try again.
when clicking "login" link.Steps to reproduce
config.py
to setAUTH_TYPE = AUTH_REMOTE_USER
Invalid login. Please try again.
Potential lead
I believe CGI uses HTTP request headers as environment variable by prefixing them with
HTTP_
(https://www.ietf.org/rfc/rfc3875, section 4.1.18). However FAB readsREMOTE_USER
in flask_appbuilder/security/views.py.Patching the code as follow seems to fix the problem:
The text was updated successfully, but these errors were encountered: