Support Bearer Tokens for authenticating instead of using a token in basic auth · Graylog2/graylog2-server#5167

(1 留言) (1 反應) (0 負責人)Java (6,945 star) (1,032 fork)batch import

featuregood first issuetriaged

描述

Expected Behavior

When a user creates a token which can be used for authentication, it should be accepted by the server when passed as part of a Authentication: Bearer <Token> header.

Current Behavior

For token authentication, the server expects basic auth with the username set to the token and password to token. This is rather proprietary. Additionally, some systems which are otherwise capable of speaking to Graylog (e.g. the telegraf prometheus plugin speaking to the Graylog prometheus metrics reporter do not work due to the nonacceptance of Bearer Tokens.

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

Graylog Version:
Elasticsearch Version:
MongoDB Version:
Operating System:
Browser version:

貢獻者指南

技術棧: java
領域: authentication
議題類型: feature
難度: 3
預計時間: half day
活動狀態: stale
清晰度: mostly clear
前置要求: JavaAuthentication conceptsGraylog server codebase
新手友善度: 50
研究方向: Look at the existing authentication flow in the Graylog server codebase, particularly how token based auth is implemented (likely in classes like `TokenAuthService` or `AuthenticationFilter`). The current behavior uses Basic Auth with token as username and 'token' as password. The goal is to also accept the token in the `Authorization: Bearer <Token>` header. You may need to modify the authentication filter to check for Bearer token, parse it, and validate against stored tokens. Check the issue comments for any additional context or rejected approaches. No linked PRs exist, so you'll need to research how other plugins (e.g., Prometheus reporter) authenticate. Ensure backward compatibility with existing Basic Auth method.