Skip to content
This repository has been archived by the owner on Mar 27, 2019. It is now read-only.

Add support for token auth via HTTP Header #39

Closed
tallpauley opened this issue Jan 18, 2017 · 7 comments
Closed

Add support for token auth via HTTP Header #39

tallpauley opened this issue Jan 18, 2017 · 7 comments
Labels
enhancement

Comments

@tallpauley
Copy link
Collaborator

tallpauley commented Jan 18, 2017
edited
Loading

I would love if Vault UI could read a Vault token in X-Remote-User (or whatever name) if present, allowing use of custom SSO front-end. In my use case, we would have a SAML 2.0 SSO proxy which could use a hook to get a Vault token for a user and pass it along to Vault UI so that the user wouldn't need to log in again after SSO.

SAML for Vault is sort-of in-progress but the future is unclear due to variance in SAML implementations. The ability to read a Vault token from X-Remote-User would be a nice universal adapter for SSO not-yet-supported by Vault (or never supported by Vault). It doesn't compromise security since Vault tokens can't be forged.

By the way, this UI is the most promising Vault UI i've seen so far. Keep up the good work!
@msessa msessa mentioned this issue Jan 18, 2017
Merged
@msessa
Copy link
Collaborator

msessa commented Jan 18, 2017

Check out #40 for a possible implementation

@djenriquez
Copy link
Owner

To clarify what #40 is trying to achieve: VAULT_SUPPLIED_TOKEN_HEADER would be used to tell the server to look for the header defined in this environment variable, then take that header's value which will be assumed to hold a token to authenticate into Vault-UI.

I understand that this should take care of your request, @tallpauley, what do you think?

@tallpauley
Copy link
Collaborator Author

tallpauley commented Jan 18, 2017
edited
Loading

@djenriquez yeah, configurable header name is a nice touch. Exactly what I'm looking for, and I can close the issue as soon as change is made to PR and it merges. Thanks for the fast contribution @msessa-cotd

@djenriquez
Copy link
Owner

#40 Merged

@rohitkoul
Copy link

rohitkoul commented Nov 10, 2017
edited
Loading

@djenriquez This doesn't seem to be working for me.
In 2.3.0, using token auth - I did the following:

  • set the VAULT_SUPPLIED_TOKEN_HEADER as "myheader".
  • set the "myheader" header value as vault root token.
  • Hit the vault ui. It still throws me a login page. I expected it to log me in as root.
  • Puzzled, I hit the login button (with no value for token), and I see that X-VAULT-TOKEN is being set as "myheader".
    Looks like VAULT_SUPPLIED_TOKEN_HEADER is being taken as the token value and not the name of the header that has the value. I believe that was not the intent of Allow a request header to be used to provide the auth token #40. Can you confirm the behavior?

@djenriquez
Copy link
Owner

Yup, and I see the bug already. Surprising we got this far without anyone noticing it. Will have a fix here in a bit @rohitkoul

@djenriquez djenriquez mentioned this issue Nov 10, 2017
Merged
@djenriquez
Copy link
Owner

@rohitkoul: #220, merging in, feel free to test on :latest in a few minutes.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rohitkoul @msessa @djenriquez @tallpauley