View Issue Details

IDProjectCategoryView StatusLast Update
0022398mantisbtauthenticationpublic2023-07-05 09:56
Reporterarrfab Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version2.1.0 
Summary0022398: HTTP_AUTH not working
Description

Was trying to force HTTP_AUTH for mantisbt, (as https://www.mantisbt.org/docs/master-1.3.x/en-US/Admin_Guide/html-desktop/#admin.config.auth)
but it doesn't seem to work
Then I realized that in the doc, there is a TODO (https://www.mantisbt.org/docs/master-1.3.x/en-US/Admin_Guide/html-desktop/#admin.auth.http)

Does that mean that it's not yet implemented ? Also the doc is still 1.3 while product is now 2.1.0 (needs another bug report ?)

In fact, we (CentOS Project) don't even want to rely on HTTP_AUTH, but rather on openid, but while I found some bug reports for that, it seems there is still nothing implemented.
So my "workaround" was at least to offload the auth to HTTP_AUTH, with apache using mod_auth_openid.
mod_auth_openid asks for user/pass and validates (as we use that for other web apps) but mantis doesn't seem to even use it.

Can we get clarification if that is supposed to work or not ? (while also waiting for openid plugin to work too)

Thanks a lot for your work !

TagsNo tags attached.

Relationships

has duplicate 0017872 closeddregad AUTH_BASIC fails 

Activities

raspopov

raspopov

2018-02-15 13:06

reporter   ~0058882

IMHO (after hours of patching MantisBT sources) current version doesn't support HTTP_AUTH and simply ignores _SERVER['REMOTE_USER'] variable with user name authenticated via web-server.

raspopov

raspopov

2018-02-18 14:07

reporter   ~0058930

I created a pull request to fix this issue: https://github.com/mantisbt/mantisbt/pull/1302

vboctor

vboctor

2018-02-19 04:12

manager   ~0058939

Thanks @raspopov for the PR and your bug report.

We have added support for auth plugins in 2.3.0 release. So you should consider to upgrade to latest to get that. To get more details about the auth plugin model, checkout the following:

The goal is to move more towards plugins and less auth schemas embedded in the core of MantisBT.

As for the HTTP_AUTH, thanks for the PR. Will hopefully provide feedback soon.

arrfab

arrfab

2018-02-20 05:24

reporter   ~0058975

Good to know that there is now a way to have http_auth working, but it seems that it will not be merged into mantis core
in fact, in my initial test, I wanted to use openid or openidc (so oauth2) but it doesn't seem to work either (and no plugin to be found, despite multiple requests for that in the last years)
so my idea was to use mod_auth_openid for apache, and so transparently use it for http_auth for mantis.

vicsuarez

vicsuarez

2023-07-05 09:56

reporter   ~0067874

Sorry for the late response but we got this working simply adding 'HTTP_AUTH' value to the <i>$t_login_methods</i> array in <i>auth_does_password_match</i> method (authentication_api.php):
<pre>
$t_login_methods = array(
MD5,
CRYPT,
PLAIN,
BASIC_AUTH,
<b>HTTP_AUTH</b>
);
</pre>

Finally we avoided to touch 'core' libs and an integration with Apache+mod_auth_cas is working with BASIC_AUTH and custom configuration and some new PHP scripts, but the former (and simple) update to <i>authentication_api.php</i> actually resolved the problem.