wiltonsr
commented
1 year ago Hi @evan-chaney,
Unfortunately, this behavior comes from the browser's cache.
This StackOverflow question details more about this.
Closed evan-chaney closed 1 year ago
wiltonsr
commented
1 year ago Hi @evan-chaney,
Unfortunately, this behavior comes from the browser's cache.
This StackOverflow question details more about this.
wiltonsr
commented
1 year ago We can create a parameter for cacheTimeout and read these headers:
X-Forwarded-Host:[whoami.localhost]
X-Forwarded-Port:[80]
X-Forwarded-Proto:[HTTP]to create a 302 redirect in the format: X-Forwarded-Proto://logout@X-Forwarded-Host:X-Forwarded-Port that will force the browser to request password again.
wiltonsr
commented
1 year ago Better than this, we already have a RequireAuth method that requests the user to authenticate again:
Just need to validate the cacheTimeout.
wiltonsr
commented
1 year ago Hello, @evan-chaney
I created a new branch add-session, could you test this and report if there is any problem?
The CacheTimeout config param is set to 300s by default, but you can change it to fit your needs.
With this, only one request will be made to LDAP server while the session is valid.
evan-chaney
commented
1 year ago Hello @wiltonsr,
First off thanks for your quick work, this is great stuff! I'm running Traefik in Docker stack and I don't think I can specify a branch for the plugin, only tags. Any chance you could tag the branch or otherwise have it show up as a version on plugins.traefik.io?
wiltonsr
commented
1 year ago I created v0.0.18-beta.
Just wait for refresh on plugins.traefik.io
evan-chaney
commented
1 year ago Ok I got a chance to play with this at work this morning. It seems awesome! No problems over here and things may even be faster. Thanks for your extremely quick response and turnaround!
wiltonsr
commented
1 year ago Glad to know.
I will improve this feature, cause we only read the session cookie, I need to add some level of cryptography to prevent fake/malicious requests to be validated.
For now, you could keep using the v0.0.18-beta release.
I have a Kibana server behind Traefik (v2.9.1) with the ldapAuth plugin (v0.0.17) and I can see 14 authentication requests via the ldapAuth logs just by accessing / on the server. The browser seems to cache the credentials, or perhaps that is happening in ldapAuth but it does show 14 requests being sent to my LDAP server and all of them are authenticated successfully. This isn't a fail-and-retry scenario. I was able to replicate this with a simpler web service just by refreshing the page it authenticates against LDAP in the log even though I don't get a credential prompt in the browser. Is there some way to cache an authentication for an hour or any other configurable amount of time?