Basic Auth and JWT

[a1fred]

Can't secure portainer behind nginx with basic-auth. Portainer's JWT auth and http basic uses same header name and overwrites each other.

May be rename JWT header name or add configuration for change JWT header name?

Related:

• Nginx with auth_basic on Domain #2654
• auth_basic with nginx for portainer #1646
• Securing portainer with auth_basic behind nginx-proxy #2660
• https://stackoverflow.com/questions/34885407/basic-auth-and-jwt

[ghost]

Hi there,
What is your use case for this?

[a1fred]

I want to use portainer's web ui behind nginx reverse proxy with http basic authentication.
Basic authentication uses 'Authorization' header. Portainer's authentication uses same header for JWT token sending.

This conflict makes not possible scheme reverse proxy with basic authentication.

[deviantony]

@a1fred Portainer already provides an authentication mecanism. Why would you try to add another one on top of that?

[a1fred]

@deviantony i dont want to show portainer login page to public, i dont fully trust one authentication mechanism. Access to portainer gives access to all services and access to entire server. Its very important and completely unacceptable.

I want more security to allow my paranoia sleep calmly :)

[a1fred]

Just created #2815 .
But i'm not very advanced on golang and angular and no idea how to run and test it.
Can somebody check it?

[deviantony]

Sorry, we've decided that we were not going to support this scenario for the reason that using the Authorization header is the standard way when using the JWT authentication scenario.

We already support advanced authentication scenarios (more secure) by allowing you to use an external OAuth provider where you can enable extra security layers (such as 2FA) and we would recommend this approach for a more secure setup.

[uroni]

If you proxy it from a random location (say https://portainer.example.com/30aa9eeb-2f1c-49e8-91ec-2037f269a5fc/ ) that should be nearly as good as basic auth. The only danger is that someone accidentally copy & pastes the URL somewhere public, or that the web server lists the location somewhere.

Basic auth should still be supported, in my opinion, however.

[modem7]

Sorry, we've decided that we were not going to support this scenario for the reason that using the Authorization header is the standard way when using the JWT authentication scenario.

We already support advanced authentication scenarios (more secure) by allowing you to use an external OAuth provider where you can enable extra security layers (such as 2FA) and we would recommend this approach for a more secure setup.

It's unfortunate that it costs as much as it does. Great pricing for businesses, not so much for a small home network that isn't generating profit.

If there were a residential pricing tier, single user licence, single MFA user account etc, for a quarter of the price, then that would certainly be worthwhile!

[ncresswell]

Email me, neil.cresswell@portainer.io for a promo code for home use. Rgds, Neil Cresswell On 18/02/2020, at 1:36 AM, modem7 <notifications@github.com> wrote:  Sorry, we've decided that we were not going to support this scenario for the reason that using the Authorization header is the standard way when using the JWT authentication scenario. We already support advanced authentication scenarios (more secure) by allowing you to use an external OAuth provider where you can enable extra security layers (such as 2FA) and we would recommend this approach for a more secure setup. It's unfortunate that it costs as much as it does. Great pricing for businesses, not so much for a small home network that isn't generating profit. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_2809-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAFQ2XFKQIRI2DBBTQ5MRFUTRDLKKFA5CNFSM4HDTKV32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEL7KVPQ-23issuecomment-2D587115198&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=Eq2T1xQoVeeeKatQA52e89mLJ9Lt-RUi-OAA0cKCYts&s=LOATm_SZ4Xv72bC_O_267sSDBfwJF_0tSAd9qJ86oCk&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AFQ2XFNEFDE3LIGEGAB6PT3RDLKKFANCNFSM4HDTKV3Q&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=Eq2T1xQoVeeeKatQA52e89mLJ9Lt-RUi-OAA0cKCYts&s=9aJGF5kPMUMrtpFXmr4hiMlMVETHGdibPMGWQ2f5Lp0&e=>.

[toussa]

Sorry, we've decided that we were not going to support this scenario for the reason that using the Authorization header is the standard way when using the JWT authentication scenario.

We already support advanced authentication scenarios (more secure) by allowing you to use an external OAuth provider where you can enable extra security layers (such as 2FA) and we would recommend this approach for a more secure setup.

Actually, it's not the same at all, and I wouldn't say OAuth is more secure. It's just not the same level. Using Basic Authentication (and TLS) with a reverse proxy will prevent the access to any pages, even the one that doesn't need portainer account to access.
You cannot even see and access to the door to try to open it.
For critical services like portainer, that's not used by too much people, I also prefer adding Basic Auth.

Anyway, I totally agree on respecting the standard. It should be the job of the reverse proxy

[freekk]

Hello,

Sorry to say that, but I think you miss the point here.
You may have a great product, that "supports" oauth authentication, your implementation of the auth flow CAN have issues.

Specifically when targeting serious businesses, you must provide a way to allow them to use the security gateway of their choice and not increase the attack surface.
When a reverse proxy has been reviewed, accepted from a security viewpoint, and battle-tested, you cannot just say "create a specific backdoor and trust us for security".

You may chose to regard us a paranoid enthousiasts, but as someone who works in IT, not addressing this issue is a no-go.
I really hope you change your mind about this one, and I wish you the best!