Support for REMOTE_USER Header

[Ryonez]

Title

Support for REMOTE_USER Header

Summary

Allow Gatekeeper to pass a REMOTE_USER header to the backend service

Why?

Allows gatekeeper to log users into sites which pass authentication onto the proxy/web server.

How

The header must be named REMOTE_USER, username is a good default value, but being able to set other things like email would be appreciated.

Acceptance criteria

That it works.

Additional Information

I'm attempting to get this going with Fiyefly-iii. There was an issue here where the author added support for the REMOTE_USER header.

[jangaraj]

Could you try https://github.com/louketo/louketo-proxy/pull/532

E.g.:

add-claims:
- email|REMOTE_USER

[Ryonez]

The site is claiming the header is empty: claim in gatekeeper's YAML

Site Response:

[jangaraj]

That was only example. Make sure you have email claim in the access token when you want to use it Also email|REMOTE_USER != email | REMOTE_USER. Code doesn't work with space, so don't use them, pls.

[Ryonez]

Alright, thank you for pointing out the spaces.

Two questions, first, I don't know how to make sure it is in the access token. I thought add-claims was meant to add it and I can't see the tokens or unencrypted tokens, so I really have no idea what's happening in them. Second, is it possible to use username in place of email? emails in my system are somewhat flexible, usernames are not.

[jangaraj]

Go to helper /oauth/token and you will see what is available. And of course, you flexibility to map any claim from the token to any header:

add-claims:
- username|REMOTE_USER
- roles|GROUPS
- groups|ROLES
- preferred_username|nickname
....

[Ryonez]

What is helper? I'm not sure what you're asking me to look at.

[jangaraj]

https://github.com/louketo/louketo-proxy/blob/master/docs/user-guide.md#endpoints

[Ryonez]

/protocol/oauth/token

Most of my endpoints seem to be openid-connect, however I'm not getting info from them either.

Sorry, I used it on the keycloak url, not through gatekeeper. One moment.

[Ryonez]

Alright, the token does have the values.

However the site is saying the header is empty still.

[Ryonez]

Is there a way to see what headers it's passing through to the backend service? Knowing what's there would not would at least give direction if it's an issue with gatekeeper or firefly.

[JC5]

I'm putting some pointers in the other issue. This is a relatively new feature for Firefly III as well, so I'm equally curious.

[Ryonez]

Following JC5's information, I've been able to determine that gatekeeper is not adding the custom REMOTE_USER header, only the default X_AUTH headers.

[Ryonez]

Edit: Posted this in the wrong issue thread.