Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Support preemptive basic auth in JDBC driver #28

Open
dai-chen opened this issue Jul 12, 2022 · 8 comments
Open

[FEATURE] Support preemptive basic auth in JDBC driver #28

dai-chen opened this issue Jul 12, 2022 · 8 comments
Labels
enhancement New feature or request

Comments

@dai-chen
Copy link
Collaborator

Is your feature request related to a problem?
Currently basic auth is non-preemptive that expect an authenticate header (WWW-Authenticate: Basic ...) from the server. There is problem when server responds something else, for example, an OpenSearch cluster with SAML enabled returns WWW-Authenticate: X-Security-IdP instead. This fails the basic auth request with a 401 HTTP error.

What solution would you like?
One solution is switch to preemptive auth and enforce it all the time. The impact of this needs to be evaluated carefully.

What alternatives have you considered?
Alternatively, provide a configuration for user to choose which auth mode to use. This may be safer and more flexible option compared with enforcing preemptive auth.

Do you have any additional context?

  1. Non-/Preemptive process in brief: https://stackoverflow.com/questions/7482523/preemptive-authentication-why
  2. The HTTP RFC: https://datatracker.ietf.org/doc/html/rfc2617
  3. Sample HTTP 401 error as below
HttpResponseProxy{HTTP/1.1 401 Unauthorized [Date: Thu, 23 Jun 2022 17:22:31 GMT, Content-Type: text/plain;charset=UTF-8, Content-Length: 0, Connection: keep-alive, Access-Control-Allow-Origin: *, WWW-Authenticate: X-Security-IdP realm="OpenSearch Security"
@dai-chen dai-chen added the enhancement New feature or request label Jul 12, 2022
@dai-chen dai-chen transferred this issue from opensearch-project/sql Dec 14, 2022
@spiralcb
Copy link

Hello

Any update for this ?

We activate SAML on our AWS Opensearch cluster and we have the same issue.

@dai-chen
Copy link
Collaborator Author

dai-chen commented Mar 2, 2023

Hello

Any update for this ?

We activate SAML on our AWS Opensearch cluster and we have the same issue.

Thanks for reporting the issue! Unfortunately, we haven't worked on this yet.

@acarbonetto Could you take a look when you have time? See if we can add this to our roadmap. Thanks!

@GumpacG GumpacG mentioned this issue Apr 17, 2023
Merged
6 tasks
@acarbonetto acarbonetto mentioned this issue Aug 17, 2023
Draft
6 tasks
@imarzouka
Copy link

Hello

Any updates on this issue?

We faced the same issue as well when we enabled OIDC along with basic authentication having (challenge: false).

@lucasfcnunes
Copy link

Hello

Any updates on this issue?

We faced the same issue as well when we enabled OIDC along with basic authentication having (challenge: false).

Same here

@lucasfcnunes
Copy link

@dai-chen I think this was really resolved in a fork Bit-Quill#4

@dai-chen
Copy link
Collaborator Author

@lucasfcnunes I think so. Probably I can close this. Thanks!

@dai-chen dai-chen reopened this Dec 12, 2024
@dai-chen
Copy link
Collaborator Author

dai-chen commented Dec 12, 2024
edited
Loading

@lucasfcnunes Sorry I misunderstood what you posted. So it seems PR was not merged to main repo yet?

@dblock dblock removed the untriaged label Dec 16, 2024
@dblock
Copy link
Member

dblock commented Dec 16, 2024

[Catch All Triage - 1, 2]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dblock @spiralcb @lucasfcnunes @dai-chen @imarzouka