REST module authenticate credentials issue
email.me at kevp.com
email.me at kevp.com
Mon Dec 30 23:41:07 UTC 2024
Hi all,
FreeRADIUS v3.2.6
I'm trying to setup the rest module to authenticate with data to an API but
using a fixed API token every time to authenticate the API request itself.
I've configured the authenticate section of the rest config to have a
username = xxx and password = yyy as per the example/docs.
modules {
rest {
tls {
check_cert = no
check_cert_cn = no
}
connect_uri = https://xxx
connect_timeout = 4.0
authenticate {
uri = "${..connect_uri}/api/v1/auth"
method = "post"
body = "json"
auth = "basic"
username = "api-user123"
password = "api-password123"
data = '{"username": "%{User-Name}", "password":
"%{User-Password}"}'
tls = ${..tls}
}
}
}
But. the API post basic auth header always has the username and password of
the end user being checked (%{User-Name}:%{User-Password}), not my
configured static username and password (api-user123:api-password123).
I'm not using an authorize section, but as a test I've also configured it as
above and this correctly EXPANDs the configured static username and password
in the auth header.
The freeradius -X log shows them EXPANDed correctly in the authorize call,
but not mentioned in the authenticate call.
(0) authorize {
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND https://xxx
(0) rest: --> https://xxx
(0) rest: EXPAND /api/v1/auth
(0) rest: --> /api/v1/auth
(0) rest: Sending HTTP POST to https://xxx/api/v1/auth
(0) rest: EXPAND api-user123
(0) rest: --> api-user123
(0) rest: EXPAND api-password123
(0) rest: --> api-password123
(0) rest: EXPAND {"username": "%{User-Name}", "password":
"%{User-Password}"}
(0) rest: --> {"username": "user555", "password": "pass555"}
(0) rest: Processing response header
(0) rest: Status : 204 (User authenticated successfully)
But the authenticate section gives:
(0) authenticate {
rlm_rest (rest): Reserved connection (1)
(0) rest: Expanding URI components
(0) rest: EXPAND https://xxx
(0) rest: --> https://xxx
(0) rest: EXPAND /api/v1/auth
(0) rest: --> /api/v1/auth
(0) rest: Sending HTTP POST to https://xxx/api/v1/auth
(0) rest: EXPAND {"username": "%{User-Name}", "password":
"%{User-Password}"}
(0) rest: --> {"username": "user555", "password": "pass555"}
(0) rest: Processing response header
(0) rest: Status : 401 (AUTHENTICATION FAILED)
No EXPAND lines for the username or password this time.
The example mods-available/rest file contains:
# The following config items may be listed in any of the sections:
<snip>
# username - User to authenticate as, will be expanded.
# password - Password to use for authentication, will be
expanded.
It says you can add them to 'any' of the sections but doesn't seen to work
in authenticate.
So.
Q: Is there a way to configure the rest module authenticate section to use
configured static credentials?
And.
One other idea I had was not to use the builtin auth and just add my own
additional header containing the basic auth base64 static credentials.
But no matter what I try in the authenticate (or authorize for that) section
I can't get any additional headers to appear at all.
I'm using:
control:REST-HTTP-Header := "Authorization: Basic abc123<snip>=="
control:REST-HTTP-Header := "X-KP-TEST: testing123"
And even if I put an invalid value format for the header I don't get any
config error or warning.
Have I done something wrong here?
Thanks all!
Kev/.
More information about the Freeradius-Users
mailing list