REST module authenticate credentials issue

Alan DeKok aland at deployingradius.com
Tue Dec 31 15:40:10 UTC 2024 

On Dec 30, 2024, at 6:41 PM, email.me at kevp.com wrote:
> I'm trying to setup the rest module to authenticate with data to an API but
> using a fixed API token every time to authenticate the API request itself.

  Any fixed API token will need to be passed as extra parameters, or as a json blob.  You can't use HTTP Authentication for both the user and the API.

> I've configured the authenticate section of the rest config to have a
> username = xxx and password = yyy as per the example/docs.

  Except that authenticates the user, not the API request itself.

>    rest {
...
>        authenticate {
>            uri = "${..connect_uri}/api/v1/auth"
>            method = "post"
>            body = "json"
>            auth = "basic"
>            username = "api-user123"
>            password = "api-password123"

  Except that "authenticate" means "authenticate the user" and not "authenticate the REST API".

> But. the API post basic auth header always has the username and password of
> the end user being checked (%{User-Name}:%{User-Password}), not my
> configured static username and password (api-user123:api-password123).

 Because "authenticate" means "authenticate the user" and not "authenticate the REST API".

  HTTP does not provide a way to send two sets of names && passwords.  So the REST module can't do it.

  The better way is to just use TLS.  Set a client certificate via "certificate_file".  That will authenticate the connection.  You can then do User-Name / User-Password checking via "authenticate".

> Q: Is there a way to configure the rest module authenticate section to use
> configured static credentials?

  You can't send *two* usernames and passwords via HTTP.

> One other idea I had was not to use the builtin auth and just add my own
> additional header containing the basic auth base64 static credentials.

  That still wont' work.  You can't send *two* usernames and passwords via HTTP.

  Set up TLS, and use a client certificate.  This isn't a limitation of FreeRADIUS.  It's how HTTP works.

  Alan DeKok.

More information about the Freeradius-Users mailing list