Accessing request headers in auth_provider

cmrt · November 12, 2022, 8:55pm

Hi,

I’m trying to write an authentication provider that accepts JWTs, so I can connect to HA through my Pomerium instance.

For it to work I need to be able to access the request headers so I can read the JWT and then perform validation.

As far as I understand it, the headers are actually saved to “a Context” by http.request_context (here), but when I print out context (the different one passed to async_login_flow) in a devcontainer all I get is

ip_address: 192.168.x.x
credential_only: False
redirect_uri: http://192.168.x.x:8123/?auth_callback=1

I tried dumping different objects (among them self.hass.http and self.hass.data) from async_login_flow, to no avail: I cannot find neither request headers, nor the aiohttp.web.Request object that’s supposed to contain them.

Does anyone have any idea where I should look, or if there’s a way to access the middleware data, or how is the authentication provider’s context dict built so I can maybe try to add those headers back?

Side note: I’m aware of this thread and the corresponding feature request, but AFAICT there hasn’t been any progress yet.

Thanks!

Tanon · March 7, 2023, 1:35pm

Hi Claudio!

Sorry, I only just noticed this, while going through my email to clear out junk mail, hah hah.

Don’t know if it’s helpful for you, but I wrote an Nginx module which performs validations for JWTs based on the AUD “audience” token, generated by Cloudflare Access.

Obviously, this is only useful if you’re using both Nginx HTTP proxy and Cloudflare Access, but if JWT validation is all you care about, I’ve found it works pretty well, outside of the corner cases in that thread you mentioned (also forgot about that, hah hah).

Cheers!