-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forward authorization header in federated queries #1602
Comments
Slightly off-topic, but some more context: We also plan to host the qlever UI, we want this to be authenticated as well. If the user is not authenticated, they will be redirected to a login page, and redirected back to the UI. But we have a workaround for this: The JWT token is wrapped in a cookie. The browser will also include this cookie in the requests to the server. |
I was doing some research on this and found that it is not an easy problem... Take for example the query below:
scenario 1: server 0-2 are all part of the same internal system
scenario 2: server 0-1 are part of an internal system, server 2 is external
scenario 3: server 0-1 are external, server 2 is part of the internal system
|
We have a reverse proxy in front of our qlever backend servers, these are used to check if requests are authenticated, this includes authorization checks.
This is done because we need fine grained security for our datasets. A claim in the JWT token indicates to which datasets the user has read access.
But when the user runs a federated query, a request will be send to one back-end, and that back-end will query other back-ends.
But in these downstream requests the
Authorization
header is not forwarded. This will result in a UNAUTHORIZED response.Is it possible to forward the Authorization header for downstream requests in federated queries? Or maybe all headers?
Note: We haven't actually tested this, we don't have the reverse proxy with authorization checks yet. We are still analyzing what is possible. I have viewed the downstream requests however using Wireshark and was able to verify no headers were forwarded.
The text was updated successfully, but these errors were encountered: