Authentication using Bearer Token

[ssb0432]

Authentication using Bearer Tokens does not work

Hello,

We have embedded Cockpit component Terminal in our web app using the instructions at https://cockpit-project.org/guide/latest/embedding.html#embedding-components

Our web app uses OpenLDAP (with Keycloak sitting in the middle) for user authentication. When we get to the embedded iframe, the user is asked for login credentials through the Cockpit login page. After entering the login credentials, the user can get the Terminal to open.

We would like to bypass this requirement for the user to authenticate a second time in the iframe by using bearer tokens. Keycloak provides us with the bearer tokens for authentication.

We added the cockpit configuration file for accepting Bearer Token (cockpit.conf) [referring to https://github.com/cockpit-project/cockpit/blob/main/doc/authentication.md]:

[bearer]
command = example-verify-token
timeout = 300

We pass the Keycloak token to Cockpit in the Authorization headers, but we are returned with a 500 Internal Server Error.

Does anyone have a working version of Cockpit iframe being authenticated using bearer tokens?

Version of Cockpit

251.3-1.el8_5

Where is the problem in Cockpit?

Terminal

Server operating system

Red Hat Enterprise Linux

Server operating system version

8.2

What browsers are you using?

Chrome, Edge

System log

No response

[martinpitt]

Did you actually implement that example-verify-token command?

I recently did a complete PoC for bearer token authentication here: gbraad-redhat/podman-cockpit-desktop#3 (comment)

[ygini]

Any successfully implemented command to works with Bearer token?

I've tried something based on the available examples without success, the STDIN/OUT based protocol is a bit of pain to use…

Here is my current state and I can't make it work, it hand when reading the expected size of the response, not sure if bug on my side or nor content sent by cockpit.

On the website it correctly goes to the IDP and come back.

https://gist.github.com/ygini/0ece3afb719d3ce1f12a5583b803e3e3