REST module authenticate credentials issue
Hi all, FreeRADIUS v3.2.6 I'm trying to setup the rest module to authenticate with data to an API but using a fixed API token every time to authenticate the API request itself. I've configured the authenticate section of the rest config to have a username = xxx and password = yyy as per the example/docs. modules { rest { tls { check_cert = no check_cert_cn = no } connect_uri = https://xxx connect_timeout = 4.0 authenticate { uri = "${..connect_uri}/api/v1/auth" method = "post" body = "json" auth = "basic" username = "api-user123" password = "api-password123" data = '{"username": "%{User-Name}", "password": "%{User-Password}"}' tls = ${..tls} } } } But. the API post basic auth header always has the username and password of the end user being checked (%{User-Name}:%{User-Password}), not my configured static username and password (api-user123:api-password123). I'm not using an authorize section, but as a test I've also configured it as above and this correctly EXPANDs the configured static username and password in the auth header. The freeradius -X log shows them EXPANDed correctly in the authorize call, but not mentioned in the authenticate call. (0) authorize { rlm_rest (rest): Reserved connection (0) (0) rest: Expanding URI components (0) rest: EXPAND https://xxx (0) rest: --> https://xxx (0) rest: EXPAND /api/v1/auth (0) rest: --> /api/v1/auth (0) rest: Sending HTTP POST to https://xxx/api/v1/auth (0) rest: EXPAND api-user123 (0) rest: --> api-user123 (0) rest: EXPAND api-password123 (0) rest: --> api-password123 (0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}"} (0) rest: --> {"username": "user555", "password": "pass555"} (0) rest: Processing response header (0) rest: Status : 204 (User authenticated successfully) But the authenticate section gives: (0) authenticate { rlm_rest (rest): Reserved connection (1) (0) rest: Expanding URI components (0) rest: EXPAND https://xxx (0) rest: --> https://xxx (0) rest: EXPAND /api/v1/auth (0) rest: --> /api/v1/auth (0) rest: Sending HTTP POST to https://xxx/api/v1/auth (0) rest: EXPAND {"username": "%{User-Name}", "password": "%{User-Password}"} (0) rest: --> {"username": "user555", "password": "pass555"} (0) rest: Processing response header (0) rest: Status : 401 (AUTHENTICATION FAILED) No EXPAND lines for the username or password this time. The example mods-available/rest file contains: # The following config items may be listed in any of the sections: <snip> # username - User to authenticate as, will be expanded. # password - Password to use for authentication, will be expanded. It says you can add them to 'any' of the sections but doesn't seen to work in authenticate. So. Q: Is there a way to configure the rest module authenticate section to use configured static credentials? And. One other idea I had was not to use the builtin auth and just add my own additional header containing the basic auth base64 static credentials. But no matter what I try in the authenticate (or authorize for that) section I can't get any additional headers to appear at all. I'm using: control:REST-HTTP-Header := "Authorization: Basic abc123<snip>==" control:REST-HTTP-Header := "X-KP-TEST: testing123" And even if I put an invalid value format for the header I don't get any config error or warning. Have I done something wrong here? Thanks all! Kev/.
On Dec 30, 2024, at 6:41 PM, email.me@kevp.com wrote:
I'm trying to setup the rest module to authenticate with data to an API but using a fixed API token every time to authenticate the API request itself.
Any fixed API token will need to be passed as extra parameters, or as a json blob. You can't use HTTP Authentication for both the user and the API.
I've configured the authenticate section of the rest config to have a username = xxx and password = yyy as per the example/docs.
Except that authenticates the user, not the API request itself.
rest { ... authenticate { uri = "${..connect_uri}/api/v1/auth" method = "post" body = "json" auth = "basic" username = "api-user123" password = "api-password123"
Except that "authenticate" means "authenticate the user" and not "authenticate the REST API".
But. the API post basic auth header always has the username and password of the end user being checked (%{User-Name}:%{User-Password}), not my configured static username and password (api-user123:api-password123).
Because "authenticate" means "authenticate the user" and not "authenticate the REST API". HTTP does not provide a way to send two sets of names && passwords. So the REST module can't do it. The better way is to just use TLS. Set a client certificate via "certificate_file". That will authenticate the connection. You can then do User-Name / User-Password checking via "authenticate".
Q: Is there a way to configure the rest module authenticate section to use configured static credentials?
You can't send *two* usernames and passwords via HTTP.
One other idea I had was not to use the builtin auth and just add my own additional header containing the basic auth base64 static credentials.
That still wont' work. You can't send *two* usernames and passwords via HTTP. Set up TLS, and use a client certificate. This isn't a limitation of FreeRADIUS. It's how HTTP works. Alan DeKok.
More searching of the mailing list led me to this conversation that has helped me resolve my issue and configure the rest module exactly as I need it. Kev/. On 23/07/2020 20:21, Mark Grayson (mgrayson) via Freeradius-Users wrote:
So I set up rest config as
post-auth { uri = "{$..connect_uri}/post" method = 'post' body = 'json' REST-HTTP-Header = "x-api-key: 94332cabcdef57456582e5af2bfa123456789" data = '{"end-user":"radius-test"}' tls = ${..tls} }
REST-HTTP-Header is an attribute, not a config setting, so that isn't the right place for it.
Any idea what I'm doing wrong when trying to configure the x-api-key header?
Before you call the rest module in the post-auth section (in sites-enabled/default), you need to set the attribute, e.g. update control { &REST-HTTP-Header := "x-api-key: 94332cabcdef57456582e5af2bfa123456789" } rest See the notes in raddb/mods-available/rest about that attribute, notably that it will be consumed after the rest call, so if you are making multiple rest calls you'll need to set it each time (using a policy may be the cleanest way to do this). -- Matthew
participants (3)
-
Alan DeKok -
email.me@kevp.com -
Kev Pearce