Apache mod_auth_kerb - apache

I have a setup using apache and mod_auth_kerb to authenticate users and proxy them to the destination web server using a HTTP header with username (X-Remote-User).
How do i setup a proper logout mechanism from the destination web server?
- URL to call or similar?

Our setup works like this:
We have one url, which is protected by Kerberos:
/kerberos_login
Once client access it, Kerberos authentication is performed. If successful, client is redirected to / — this is not protected by Kerberos.
To log out, clients have to access logout url (that one is also not protected by Kerberos):
/logout

Related

Keycloak server exposed via 2 public URLs

Keycloak introduced the concept of "Frontend URL" to enable different URLs for front-channel and back-channel requests towards Keycloak.
We have a use case where same Keycloak server is exposed via 2 public URLs (over 2 separate VPNs which are not accessible to each other) via separate Nginx proxies in a Kubernetes cluster:
domain1.company.com
domain2.company.com
and an internal URL:
internal.company.com
Problem is that we can set only one Frontend URL. For example, let's say we set it to domain1.company.com. Now when public clients access Keycloak via domain2.company.com using OIDC Discovery Endpoint, they get the authorization_endpoint as https://domain1.company.com/auth/realms/{realm-name}/protocol/OpenID-connect/auth which is not accessible due to separate VPNs.
By allowing only one value of Frontend URL, Keycloak assumes that the server is accessible via only one public URL, which may not be the case as in our example.
Is there a solution available to this problem?
There is an enhancement proposed for you use case: https://issues.redhat.com/browse/KEYCLOAK-15553

Outsourcing Grafana's authentication process to my application server

Background:
I have an application server that has an endpoint of /api/token. What this API does is it performs authentication against the supplied username and password using the standard basic authentication protocol.
When the process is successful, it returns an access token and HTTP code of 200 (OK). When fails, HTTP code 401 (unauthorised) is returned.
Question: Is there any way I can make Grafana's login page to pass on the login credential to my application server for authentication?
No, unless you want to hack source code.
But you can use Grafana in auth proxy mode, where authentication will be made by some "auth" proxy. For example, auth will be made by reverse proxy (e.g. Apache+mod_authnz_external) which will be in front of Grafana. All auth logic will be there and Grafana will just receive the request with request header X-WEBAUTH-USER value when user authentication is successful.
Another option is to start OIDC Identity Provider (for example Keycloak), which will use your app auth endpoint for authentication. Grafana has native OIDC/OAuth support, so it will be just configured against your OIDC Identity Provider.

Apache reverse proxy backend authentication

I've setup apache reverse proxy for my application with ldap authentication.
The problem is that the backend application also requires authentication.
After I entered ldap credentials, it always returns 401 and doesn't prompt for the application authentication.
The backend uses different credentials.
Assuming that the backend-server uses the very same LDAP authentication as the frontend you might want to have a look env var proxy-chain-auth in docs for mod_proxy_http.

Service Stack Basic Auth Routes only accesible from localhost?

I'm using service stacks basic auth plugin. When I access any of the auth routes it adds like /register, or /auth from the machine the service is running on (localhost) the routes work fine.
When I access the routes from one of my clients on another machine I get 401 not authorized errors on all of these routes.
I already have the Cors plugin enabled, and my non authentication routes are working fine from remote clients.
Is there something else that needs configured to allow access to the auth routes to work from remote clients/ips?
The response is always a 401 it appears if the authentication user or password is wrong or doesn't exist. With an existing user or password it is fine.

Programmatically send username & password to Apache web server

I currently need to access an API that is set up in an staging environment on an Apache web server but the web server throws up a username/password dialog when browsing to the API url. Unfortunately I do not have access or control over the behavior of this web server.
Is it possible to programmatically send the username and password to an Apache web server?
You have ran into Basic Access Authentication. You just need to pass the username and password as part of the URL:
http://username:password#url.com/page.html
Use the following:
http://user:pass#domain.tld/path
Have you tried sending the Authorization header incorporating the base-64-encoded credentials as part of the HTTP request as described in the linked Wikipedia article?