On Dec 30, 2024, at 6:41 PM, email.me@kevp.com wrote:
I'm trying to setup the rest module to authenticate with data to an API but using a fixed API token every time to authenticate the API request itself.
Any fixed API token will need to be passed as extra parameters, or as a json blob. You can't use HTTP Authentication for both the user and the API.
I've configured the authenticate section of the rest config to have a username = xxx and password = yyy as per the example/docs.
Except that authenticates the user, not the API request itself.
rest { ... authenticate { uri = "${..connect_uri}/api/v1/auth" method = "post" body = "json" auth = "basic" username = "api-user123" password = "api-password123"
Except that "authenticate" means "authenticate the user" and not "authenticate the REST API".
But. the API post basic auth header always has the username and password of the end user being checked (%{User-Name}:%{User-Password}), not my configured static username and password (api-user123:api-password123).
Because "authenticate" means "authenticate the user" and not "authenticate the REST API". HTTP does not provide a way to send two sets of names && passwords. So the REST module can't do it. The better way is to just use TLS. Set a client certificate via "certificate_file". That will authenticate the connection. You can then do User-Name / User-Password checking via "authenticate".
Q: Is there a way to configure the rest module authenticate section to use configured static credentials?
You can't send *two* usernames and passwords via HTTP.
One other idea I had was not to use the builtin auth and just add my own additional header containing the basic auth base64 static credentials.
That still wont' work. You can't send *two* usernames and passwords via HTTP. Set up TLS, and use a client certificate. This isn't a limitation of FreeRADIUS. It's how HTTP works. Alan DeKok.