oauth2-proxy enabled to connect to cloudbeaver isn't working with reverse proxy header authentication

Question

oauth2-proxy enabled to connect to cloudbeaver isn't working with reverse proxy header authentication

JayasreeReddy20 opened this issue 3 months ago · 7 comments

The configuration looks like below for enabling the reverse-proxy-
I have only provided the info needed for reverse-proxy here. Rest of the configurations are made already.

cloudbeaver.conf

defaultAuthProvider: "reverseProxy",
enableReverseProxyAuth: true,
enabledAuthProviders: [
"reverseProxy",
"local"

authConfigurations: [
{
"id": "reverseProxy",
"provider": "reverseProxy",
"displayName": "Reverse Proxy",
"disabled": false,
"iconURL": "",
"description": "",
"parameters": {
"logout-url": "",
"user-header": "X-Auth-Request-User",
"team-header": " X-Auth-Request-Groups",
"full-name-header": "X-Auth-Request-Email",
"team-delimiter": ",",
"first-name-header": "X-First-name",
"last-name-header": "X-Last-name"
}
}
]

authentication: {
baseAuthProvider: "reverseProxy",
primaryAuthProvider: "reverseProxy"
},

This configuration to authentication with github team user and access the cloudbeaver populates only X-Auth-Request-User,
X-Auth-Request-Email and X-Auth-Request-User.

Questions:

what parameters to be used to fetch the first name and last name?
Though the above three headers are fetched and used still the reverse-proxy always asks to connect with local authentication and doesn't take reverse-proxy.
How to achieve reverse-proxy auth?
If local-auth is disabled, it pops up to configure the auth settings and doesn't work until this is enabled.

Answer 1 · 2024-09-18T17:11:57.000Z

Hi @JayasreeReddy20
Please, take a look at Reverse-proxy article. I hope this helps you configure everything correctly

Answer 2 · 2024-09-19T06:50:11.000Z

Hi @EvgeniaBzzz ,

These changes are configured already as shown above in the cloudbeaver.conf and I can see them updated at runtime.conf as well.

Answer 3 · 2024-09-19T12:49:32.000Z

Hello, @JayasreeReddy20
Your first and last name configuration settings are set by default. You need to update them depending on what headers are specified in your reverseProxy.
Also, one of the possible variants may be that if you pass through reverseProxy, a non-existent team, you need to initially create a team and then use it in reverseProxy.
If that doesn't work, can you provide the full config file and if there are any errors in your application log when you try to log in using reverseProxy?

Answer 4 · 2024-09-20T10:48:17.000Z

Hi @DenisSinelnikov, @EvgeniaBzzz

My reverseProxy authentication is configured with github where github only provides these parameters X-Auth-Request-User,
X-Auth-Request-Groups, and X-Auth-Request-Email and we are in a impression that because the first-name and last-name aren't getting retrieved from github, the reverseProxy isn't able to work. Correct me if my understanding is wrong?
We have created a team in the github orgnaization and using it as an arg --github-team=cloudbeaver-access in reverseProxy.
should we also add the team details in the initial-data.conf file as below added as cloudbeaver-access?

{
    teams: [
        {
            subjectId: "admin",
            teamName: "Admin",
            description: "Administrative access. Has all permissions.",
            permissions: [ "admin" ]
        },
        {
            subjectId: "user",
            teamName: "User",
            description: "All users, including anonymous.",
            permissions: [ ]
        },
        {
            subjectId: "Cloudbeaver Access",
            teamName: "Cloudbeaver Access",
            description: "Administrative access. Has all permissions.",
            permissions: [ "admin" ]
        }    
    ]
}

This is my server configuration.

{
 "server": {
   "serverName": "CloudBeaver CE Server",
   "serverURL": "provided my server url",
   "expireSessionAfterPeriod": 1800000,
   "database": {
     "driver": "h2_embedded_v2",
     "url": "jdbc:h2:/opt/cloudbeaver/workspace/.data/cb.h2v2.dat",
     "initialDataConfiguration": "conf/initial-data.conf",
     "backupEnabled": false,
     "pool": {
       "minIdleConnections": 4.0,
       "validationQuery": "SELECT 1",
       "maxIdleConnections": 10.0,
       "maxConnections": 100.0
     }
   },
   "sm": {
     "passwordPolicy": {
       "minLength": 8.0,
       "minNumberCount": 1.0,
       "minSymbolCount": 0.0,
       "requireMixedCase": true
     }
   }
 },
 "app": {
   "anonymousAccessEnabled": false,
   "supportsCustomConnections": false,
   "publicCredentialsSaveEnabled": false,
   "adminCredentialsSaveEnabled": false,
   "enableReverseProxyAuth": true,
   "forwardProxy": true,
   "linkExternalCredentialsWithUser": true,
   "redirectOnFederatedAuth": false,
   "resourceManagerEnabled": true,
   "showReadOnlyConnectionInfo": false,
   "grantConnectionsAccessToAnonymousTeam": false,
   "systemVariablesResolvingEnabled": false,
   "resourceQuotas": {
     "dataExportFileSizeLimit": 1.0E7,
     "resourceManagerFileSizeLimit": 500000.0,
     "sqlMaxRunningQueries": 100.0,
     "sqlResultSetRowsLimit": 100000.0,
     "sqlResultSetMemoryLimit": 2000000.0,
     "sqlTextPreviewMaxLength": 2000000.0,
     "sqlBinaryPreviewMaxLength": 261120.0
   },
   "defaultNavigatorSettings": {},
   "enabledFeatures": [],
   "enabledAuthProviders": [
     "reverseProxy"
   ],
   "enabledDrivers": [],
   "disabledDrivers": [
     "sqlite:sqlite_jdbc",
     "h2:h2_embedded",
     "clickhouse:yandex_clickhouse",
     "generic:duckdb_jdbc",
     "h2:h2_embedded_v2"
   ],
   "authConfigurations": [
     {
       "id": "reverseProxy",
       "provider": "reverseProxy",
       "displayName": "Reverse Proxy",
       "disabled": false,
       "iconURL": "",
       "description": "",
       "parameters": {
         "logout-url": "",
         "user-header": "X-Auth-Request-User",
         "team-header": " X-Auth-Request-Groups",
         "full-name-header": "X-Auth-Request-Email",
         "team-delimiter": ",",
         "first-name-header": "X-First-name",
         "last-name-header": "X-Last-name"
       }
     }
   ]
 }
}

Here is my product.conf

// Product configuration. Customized web application behavior
// It is in JSONC format
{
  // Global properties
  core: {
      // User defaults
      user: {
          defaultTheme: "light",
          defaultLanguage: "en"
      },
      app: {
          // Log viewer config
          logViewer: {
              refreshTimeout: 3000,
              logBatchSize: 1000,
              maxLogRecords: 2000,
              maxFailedRequests: 3
          }
      },
      authentication: {
          baseAuthProvider: "reverseProxy",
          primaryAuthProvider: "reverseProxy"
      },
              'navigation-tree': {
          childrenLimit: 4000,
          editing: true,
          deleting: true
      }
  },
  // Notifications config
  core_events: {
      notificationsPool: 5
  },
  plugin_data_spreadsheet_new: {
      hidden: false
  },
  plugin_data_export: {
      disabled: false
  }
}

Please let's know if we are missing anything or if something is wrongly configured.
Thanks for the quick response so far :)

Answer 5 · 2024-09-23T13:35:03.000Z

@JayasreeReddy20

ReverseProxy can work without first/last name, they are optional.
and 3. Yes, you should add your custom team to initial-data.conf. Your example is right.

Answer 6 · 2024-09-24T10:44:17.000Z

Hi @EvgeniaBzzz ,

It worked for me with the following update of user and team header though I didn't add the first and last name headers.
It worked with X-Forwarded-User and X-Forwarded-Team.

 "parameters": {
              "logout-url": "https://your_logout_url_if_needed",
              "user-header": "X-Forwarded-User",
              "team-header": "X-Forwarded-Team",
              "team-delimiter": ",",
              "first-name-header": "X-First-Name",
              "last-name-header": "X-Last-Name"

Thanks for your support :)

Answer 7 · 2024-09-24T15:19:10.000Z

Great! Thanks for the update 🦫