oauth2-proxy enabled to connect to cloudbeaver isn't working with reverse proxy header authentication

[JayasreeReddy20]

The configuration looks like below for enabling the reverse-proxy- I have only provided the info needed for reverse-proxy here. Rest of the configurations are made already.

cloudbeaver.conf

defaultAuthProvider: "reverseProxy", enableReverseProxyAuth: true, enabledAuthProviders: [ "reverseProxy", "local"

authConfigurations: [ { "id": "reverseProxy", "provider": "reverseProxy", "displayName": "Reverse Proxy", "disabled": false, "iconURL": "", "description": "", "parameters": { "logout-url": "", "user-header": "X-Auth-Request-User", "team-header": " X-Auth-Request-Groups", "full-name-header": "X-Auth-Request-Email", "team-delimiter": ",", "first-name-header": "X-First-name", "last-name-header": "X-Last-name" } } ]

authentication: { baseAuthProvider: "reverseProxy", primaryAuthProvider: "reverseProxy" },

This configuration to authentication with github team user and access the cloudbeaver populates only X-Auth-Request-User, X-Auth-Request-Email and X-Auth-Request-User.

Questions:

1. what parameters to be used to fetch the first name and last name?
2. Though the above three headers are fetched and used still the reverse-proxy always asks to connect with local authentication and doesn't take reverse-proxy. How to achieve reverse-proxy auth?
3. If local-auth is disabled, it pops up to configure the auth settings and doesn't work until this is enabled.

[EvgeniaBzzz]

Hi @JayasreeReddy20 Please, take a look at Reverse-proxy article. I hope this helps you configure everything correctly

[JayasreeReddy20]

Hi @EvgeniaBzzz ,

These changes are configured already as shown above in the cloudbeaver.conf and I can see them updated at runtime.conf as well.

[DenisSinelnikov]

Hello, @JayasreeReddy20 Your first and last name configuration settings are set by default. You need to update them depending on what headers are specified in your reverseProxy. Also, one of the possible variants may be that if you pass through reverseProxy, a non-existent team, you need to initially create a team and then use it in reverseProxy. If that doesn't work, can you provide the full config file and if there are any errors in your application log when you try to log in using reverseProxy?

[JayasreeReddy20]

Hi @DenisSinelnikov, @EvgeniaBzzz

1. My reverseProxy authentication is configured with github where github only provides these parameters X-Auth-Request-User, X-Auth-Request-Groups, and X-Auth-Request-Email and we are in a impression that because the first-name and last-name aren't getting retrieved from github, the reverseProxy isn't able to work. Correct me if my understanding is wrong?

2. We have created a team in the github orgnaization and using it as an arg --github-team=cloudbeaver-access in reverseProxy.

3. should we also add the team details in the initial-data.conf file as below added as cloudbeaver-access?

   {
   teams: [
       {
           subjectId: "admin",
           teamName: "Admin",
           description: "Administrative access. Has all permissions.",
           permissions: [ "admin" ]
       },
       {
           subjectId: "user",
           teamName: "User",
           description: "All users, including anonymous.",
           permissions: [ ]
       },
       {
           subjectId: "Cloudbeaver Access",
           teamName: "Cloudbeaver Access",
           description: "Administrative access. Has all permissions.",
           permissions: [ "admin" ]
       }    
   ]
   }

   4. This is my server configuration.

      {
      "server": {
      "serverName": "CloudBeaver CE Server",
      "serverURL": "provided my server url",
      "expireSessionAfterPeriod": 1800000,
      "database": {
      "driver": "h2_embedded_v2",
      "url": "jdbc:h2:/opt/cloudbeaver/workspace/.data/cb.h2v2.dat",
      "initialDataConfiguration": "conf/initial-data.conf",
      "backupEnabled": false,
      "pool": {
      "minIdleConnections": 4.0,
      "validationQuery": "SELECT 1",
      "maxIdleConnections": 10.0,
      "maxConnections": 100.0
      }
      },
      "sm": {
      "passwordPolicy": {
      "minLength": 8.0,
      "minNumberCount": 1.0,
      "minSymbolCount": 0.0,
      "requireMixedCase": true
      }
      }
      },
      "app": {
      "anonymousAccessEnabled": false,
      "supportsCustomConnections": false,
      "publicCredentialsSaveEnabled": false,
      "adminCredentialsSaveEnabled": false,
      "enableReverseProxyAuth": true,
      "forwardProxy": true,
      "linkExternalCredentialsWithUser": true,
      "redirectOnFederatedAuth": false,
      "resourceManagerEnabled": true,
      "showReadOnlyConnectionInfo": false,
      "grantConnectionsAccessToAnonymousTeam": false,
      "systemVariablesResolvingEnabled": false,
      "resourceQuotas": {
      "dataExportFileSizeLimit": 1.0E7,
      "resourceManagerFileSizeLimit": 500000.0,
      "sqlMaxRunningQueries": 100.0,
      "sqlResultSetRowsLimit": 100000.0,
      "sqlResultSetMemoryLimit": 2000000.0,
      "sqlTextPreviewMaxLength": 2000000.0,
      "sqlBinaryPreviewMaxLength": 261120.0
      },
      "defaultNavigatorSettings": {},
      "enabledFeatures": [],
      "enabledAuthProviders": [
      "reverseProxy"
      ],
      "enabledDrivers": [],
      "disabledDrivers": [
      "sqlite:sqlite_jdbc",
      "h2:h2_embedded",
      "clickhouse:yandex_clickhouse",
      "generic:duckdb_jdbc",
      "h2:h2_embedded_v2"
      ],
      "authConfigurations": [
      {
      "id": "reverseProxy",
      "provider": "reverseProxy",
      "displayName": "Reverse Proxy",
      "disabled": false,
      "iconURL": "",
      "description": "",
      "parameters": {
        "logout-url": "",
        "user-header": "X-Auth-Request-User",
        "team-header": " X-Auth-Request-Groups",
        "full-name-header": "X-Auth-Request-Email",
        "team-delimiter": ",",
        "first-name-header": "X-First-name",
        "last-name-header": "X-Last-name"
      }
      }
      ]
      }
      }

4. Here is my product.conf

   // Product configuration. Customized web application behavior
   // It is in JSONC format
   {
   // Global properties
   core: {
     // User defaults
     user: {
         defaultTheme: "light",
         defaultLanguage: "en"
     },
     app: {
         // Log viewer config
         logViewer: {
             refreshTimeout: 3000,
             logBatchSize: 1000,
             maxLogRecords: 2000,
             maxFailedRequests: 3
         }
     },
     authentication: {
         baseAuthProvider: "reverseProxy",
         primaryAuthProvider: "reverseProxy"
     },
             'navigation-tree': {
         childrenLimit: 4000,
         editing: true,
         deleting: true
     }
   },
   // Notifications config
   core_events: {
     notificationsPool: 5
   },
   plugin_data_spreadsheet_new: {
     hidden: false
   },
   plugin_data_export: {
     disabled: false
   }
   }

   Please let's know if we are missing anything or if something is wrongly configured. Thanks for the quick response so far :)

[EvgeniaBzzz]

@JayasreeReddy20

1. ReverseProxy can work without first/last name, they are optional.
2. and 3. Yes, you should add your custom team to initial-data.conf. Your example is right.

[JayasreeReddy20]

Hi @EvgeniaBzzz ,

It worked for me with the following update of user and team header though I didn't add the first and last name headers. It worked with X-Forwarded-User and X-Forwarded-Team.

 "parameters": {
              "logout-url": "https://your_logout_url_if_needed",
              "user-header": "X-Forwarded-User",
              "team-header": "X-Forwarded-Team",
              "team-delimiter": ",",
              "first-name-header": "X-First-Name",
              "last-name-header": "X-Last-Name"

Thanks for your support :)

[EvgeniaBzzz]

Great! Thanks for the update 🦫