[1.10.0rc2] Verify handling of external users vs reauthentication checks
Closed this issue · 2 comments
The Problem
Curious what the expected outcome of the new re-authentication mechanism relative to the following config? Since there is no actual user created manually the password was never set due to addRemoteUsers. Since I don't know the password I can't change it either as the end user.
accessControl:
addRemoteUsers: true
remoteUserHeader: whatever-header
trustRemoteUser: true
Originally posted by @jneilliii in #4948 (comment)
Solution
Ensure that external logins are treated as "always freshly checked", like API keys. This might already be the case but needs to be verified, hence the "triage" label.
That indeed looked like it wouldn't have worked, but it now should. Header based sessions (be it via Basic Authorization or a remote user header) and requests with API keys are now always considered fresh since we either can't check a password there (header based) or don't have a session (api key). Ready for 1.10.0rc3
1.10.0rc3 has just been released.