Skip to content

Header authentication

The header authentication depends on an external system that authenticates the user. The username and roles are passed via request headers.

Warning: It is essential that the external authentication system is set up correctly because the mechanism described above does NOT perform authentication. All the authentication protection is assumed to be provided externally. If request header authentication is enabled in a scenario that is incorrectly configured, it is possible to assume the identity of a user (impersonation) by simply setting the correct header name.

Configuration

Property Default value Description
TOKEN_SERVER_ADMIN_HEADER_AUTH_ENABLED_BOOLEAN false Flag to enable or disable the header authentication. By default it is disabled.
TOKEN_SERVER_ADMIN_HEADER_AUTH_PRINCIPAL_HEADER remote-user The name of the header where the admin username is retrieved from.
TOKEN_SERVER_ADMIN_HEADER_AUTH_GROUPS_HEADER remote-groups The name of the header where the group memberships of the admin user are retrieved from.
TOKEN_SERVER_ADMIN_HEADER_AUTH_FAIL_IF_HEADER_MISSING_BOOLEAN false A flag indicating if the application should fail if a header with the username is missing. When this setting is enabled a missing (or empty) header value will result in authentication failure. If this setting is disabled, other authenticators can function as a fallback authentication mechanism.

The groups in the request header should be mapped to roles within the Token Server Admin console. This is done via the same properties as for LDAP Authentication.

Example

Configuration

TOKEN_SERVER_ADMIN_HEADER_AUTH_ENABLED_BOOLEAN=true
TOKEN_SERVER_ADMIN_HEADER_AUTH_PRINCIPAL_HEADER=Username
TOKEN_SERVER_ADMIN_HEADER_AUTH_GROUPS_HEADER=Group
TOKEN_SERVER_ADMIN_HEADER_AUTH_FAIL_IF_HEADER_MISSING_BOOLEAN=true

Request

GET https://admin.tokenserver.example.com
Content-Type: text/html
remote-user=admin
remote-groups=admin