[Feature] HTTP Basic Authentication

[criena]

Our Emby server is located behind a webserver (reverse proxy). Access is protected via HTTP Basic Auth and the webserver also forwards these credentials to Emby.

It would be great if Emby could pick up username and password and use it for authentication opposed to presenting a login dialog. In combination with a centralised authentication backend (e.g. LDAP) this allows a SSO (single-sign-on) setup.

I believe the Emby apps (e.g. iOS, Android, ...) might require adjustments for this to work as well. Currently they seem to not be able to handle the HTP Basic Auth of our proxy server at all.

[Animosity022]

Is there a reason you want to have double authentication via Basic Auth and Emby Auth? Seems like you are over complicating the approach.

Basic Auth is also kind old. You can flip over to forms based auth pretty easily as I did that for my home connection.

I just use a separate domain based virtual host for my emby server and let that through by itself.

[criena]

Basic Auth might be old, but it's also much more secure than advertising Web applications publicly.

If Emby has a security flaw, only internal users will be able to exploit it. Everyone else won't even get access to any part of Emby.

[untotren]

I have been requesting LDAP/SSO/Header auth for almost 2 years now and they seem to be dragging their feet. But please show your support on this FR, as, if anything, it might actually support your use case, depending on the way the implement this.

https://emby.media/community/index.php?/topic/26495-ldap-support/

[LukePulverenti]

Http auth as opposed to Emby auth is a paradigm shift that is probably not realistic, simply because the entire system is built around emby users.

However, having http auth as an additional layer is potentially doable, so that would mean double authentication. How does that affect this feature request?

[criena]

I'm currently doing that with an nginx in front of Emby. The downside is that the app doesn't support this and is therefore unusable if being outside the internal network. But for that I'm using the normal web interface.

Would it be really such an issue to take the login credentials from an HTTP-Auth header opposed to from the current login form?

[LukePulverenti]

Everything is based on an Emby user, so if the user first authenticates with your server using HTTP Basic Auth, they will then need to authenticate with Emby so that we can establish the Emby user for the session.

[criena]

I don't see an issue with Emby requiring a user. Currently Emby takes the login credentials from the login form (username and password). If Emby would check whether an "Authorization" header was sent by the client (in my instance the reverse proxy, nginx) and use these credentials opposed to showing a login form, it should be fine. Emby then still has its user that it can base everything on. Just instead of using an HTML form to provide the username, it would come from HTTP header. The reverse proxy (in my instance nginx) can forward the authentication information to the Emby server. I'm doing this with other servers as well.

[criena]

Just to make sure there is no misunderstanding... This approach means that the user who is logging in via HTTP Basic Auth would need to exist with Emby already in order for the mapping to work. It's just an alternative to the HTML login form. Independent from that it might be interesting to get an LDAP integration for the backend, but that's a separate topic.

[nomandera]

Is this request being seriously considered? I am in the same situation and whilst most web application are quite happy with th web standard HTTP basic, Emby stands out as an exception.

For context Auth basic has been the unexploited norm for 19 years http://www.faqs.org/rfcs/rfc2617.html

If this isnt going to happen can we close this ticket and look at other SSO options since asking users to sign on to each app individually is inelegant.

[LukePulverenti]

We are starting with LDAP which is now up for testing in the beta server. Http basic auth is possible for the future. Thanks.

[boospy]

Yes, LDAP is really on of the best features. After update the empyserver if ldap is in stable, so is this feature then usable without new installation?

[LukePulverenti]

@boospy Can you please clarify your question. LDAP is separate and by itself, it will not provide HTTP Basic Auth. Is this what you mean? Thanks.

[boospy]

I meant only that if i upgrade the actual stable that i have the feature too. Sorry i'am new with emby, but very very happy. Finally a platform without CMD and the wonderful works. Very thanks!