JWT authentication not supported

[lhayesg]

New to working with Malcolm....

We were trying to use JWT for authentication, made some changes to the install.py to allow jwt to be an option and have the env files updated accordingly.

Now when we hit : https:///auth we get a message that htadmin is disabled.

What is it checking that makes it think htadmin is disabled?

Yes we ran the auth_setup script to create the administrative user.
The error seems to be coming from the htadmin service.

Here is the auth_common.env if it helps:

NGINX_BASIC_AUTH=jwt

NGINX_LDAP_TLS_STUNNEL=false

NGINX_LDAP_TLS_STUNNEL_CHECK_HOST=
NGINX_LDAP_TLS_STUNNEL_CHECK_IP=
NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL=2

[mmguero]

Just changing install.py to accept the string jwt and then changing the environment variable to jwt isn't enough to just add another authentication format. There's code that actually has to support implementing a different authentication type, just adding a new variable value doesn't make it true.

Malcolm implements three authentication types.

• NGINX_BASIC_AUTH=true - basic HTTP authentication; if this is set to true, htadmin is enabled. Since you've set it to jwt (which is not a value that means anything in Malcolm), htadmin is disabled
• NGINX_BASIC_AUTH=false - LDAP authentication
• NGINX_BASIC_AUTH=no_authentication - authentication is disabled

All three of those are handled by the NGINX configuration which gets set up at container start. Without adding support for JWT specifically, just changing the environment variable isn't going to make it supported.

Those are the only values for which any logic is implemented in Malcolm. We have a roadmap item to implement SSO later on this year. If you'd like to suggest JWT as an option for authentication, feel free to create a feature request.

[mmguero]

@lhayesg for what it's worth the next release of Malcolm will support using Keycloak (either an embedded instance managed by Malcolm, or your own Keycloak instance) which I think may be able to be configured to use JWT.