[1.10.0rc2] Verify handling of external users vs reauthentication checks

Question

[1.10.0rc2] Verify handling of external users vs reauthentication checks

Closed this issue 3 months ago · 2 comments

The Problem

Curious what the expected outcome of the new re-authentication mechanism relative to the following config? Since there is no actual user created manually the password was never set due to addRemoteUsers. Since I don't know the password I can't change it either as the end user.

accessControl:
  addRemoteUsers: true
  remoteUserHeader: whatever-header
  trustRemoteUser: true

Originally posted by @jneilliii in #4948 (comment)

Solution

Ensure that external logins are treated as "always freshly checked", like API keys. This might already be the case but needs to be verified, hence the "triage" label.

Answer 1 · 2024-03-12T12:30:36.000Z

That indeed looked like it wouldn't have worked, but it now should. Header based sessions (be it via Basic Authorization or a remote user header) and requests with API keys are now always considered fresh since we either can't check a password there (header based) or don't have a session (api key). Ready for 1.10.0rc3

Answer 2 · 2024-03-18T11:11:11.000Z

1.10.0rc3 has just been released.