Slave submit results using Oauth 2 Bearer Token

Question

Slave submit results using Oauth 2 Bearer Token

mirceaulinic opened this issue a year ago · 7 comments

I have a situation where I need to only permit HTTP access to my Smokeping Master behind an Single Sign-On. Therefore, the Smokeping native Master <> Slave basic authentication isn't sufficient and won't work.

I therefore am opening this feature request in order to suggest adding Bearer Token authentication. If my understanding is correct, we only need to add the Auth: Bearer <token> here, i.e.,

    my $response = $ua->post(
        $slave_cfg->{master_url},
        Content_Type => 'form-data',
        Auth => 'Bearer ${bearer_token}',
        Content => [
            slave => $slave_cfg->{slave_name},
            key  => hmac_md5_hex($data_dump,$slave_cfg->{shared_secret}),
            protocol => $PROTOCOL,
            data => $data_dump,
            config_time => $cfg->{__last} || 0,
        ],
    );

I'd probably add the bearer token as an argument, so we can start the process as, e.g., smokeping --master-url <master> --slave-name <name> --bearer-token <token>.

Does this make sense?

Opening this issue for now to gather feedback and eventual pointers, and I can open a PR to implement this change if the maintainers agree.

Answer 1 · 2023-05-23T11:48:23.000Z

that looks good. maybe instead of calling this --bearer-token just call it '--extra-header'

--extra-header='Auth: Bearer xxxxxx'

and then do

my ($xhead,$xval) = split /:\s+/, $opt{'extra-header'}, 2;
...
$xhead => $xval

or something along these lines, then it becomes more generic

Answer 2 · 2023-05-23T12:20:48.000Z

Thanks for the (quick) suggestion @oetiker! I like the idea to make this more generic. Wondering if we should take this further and allow multiple extra headers then?

Answer 3 · 2023-05-23T12:30:29.000Z

sure, while you are at it ... just allow for the option to be added multiple times

Answer 4 · 2023-08-22T04:26:39.000Z

This issue has become stale and will be closed automatically within 7 days. Comment on the issue to keep it alive.

Answer 5 · 2023-08-22T08:49:43.000Z

Yes, please kep it open, been lazy / busy to get back to this...

Answer 6 · 2023-09-22T16:41:28.000Z

This would be very nice feature - but would like the multiple headers option. eg: Cloudflare uses 2 headers for service tokens.

https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/

edit: to also add, putting the token on the command line wouldn't be good as it becomes visible to all users to steal. Is it possible to incorporate into the shared-secret file or similar? (I know, makes it a pain)

Answer 7 · 2023-12-22T04:27:42.000Z

This issue has become stale and will be closed automatically within 7 days. Comment on the issue to keep it alive.