Support Bearer Tokens for authenticating instead of using a token in basic auth · Graylog2/graylog2-server#5167

(1 comment) (1 reaction) (0 assignees)Java (6,945 stars) (1,032 forks)batch import

featuregood first issuetriaged

説明

Expected Behavior

When a user creates a token which can be used for authentication, it should be accepted by the server when passed as part of a Authentication: Bearer <Token> header.

Current Behavior

For token authentication, the server expects basic auth with the username set to the token and password to token. This is rather proprietary. Additionally, some systems which are otherwise capable of speaking to Graylog (e.g. the telegraf prometheus plugin speaking to the Graylog prometheus metrics reporter do not work due to the nonacceptance of Bearer Tokens.

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

Graylog Version:
Elasticsearch Version:
MongoDB Version:
Operating System:
Browser version:

コントリビューターガイド

技術スタック: java
領域: authentication
Issue 種別: feature
難度: 3
推定時間: half day
活動状況: stale
明確さ: mostly clear
前提条件: JavaAuthentication conceptsGraylog server codebase
初心者向け度: 50
調査方針: Look at the existing authentication flow in the Graylog server codebase, particularly how token based auth is implemented (likely in classes like `TokenAuthService` or `AuthenticationFilter`). The current behavior uses Basic Auth with token as username and 'token' as password. The goal is to also accept the token in the `Authorization: Bearer <Token>` header. You may need to modify the authentication filter to check for Bearer token, parse it, and validate against stored tokens. Check the issue comments for any additional context or rejected approaches. No linked PRs exist, so you'll need to research how other plugins (e.g., Prometheus reporter) authenticate. Ensure backward compatibility with existing Basic Auth method.