mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-13 19:54:13 -05:00
[GH-ISSUE #3099] Blueprint auth.basic-auth labels override SSO priority, emit Basic challenge ahead of SSO redirect (regression) #17294
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @strausmann on GitHub (May 17, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/3099
Describe the Bug
When a public resource has both
auth.sso-enabled=trueandauth.basic-auth.user/passwordset via blueprint labels, Pangolin answers an unauthenticated request withHTTP 401+WWW-Authenticate: Basic realm="pangolin"instead of issuing a302redirect to the SSO login page.Result: browsers show the native Basic-Auth login dialog first, and only fall through to the SSO redirect (delivered in the HTML body) if the user clicks "Cancel" on the dialog. The intended UX is the opposite — SSO for browser users, Basic-Auth as a bypass for tooling/CI/curl.
The HTML response body still contains the SSO fallback, but the
WWW-Authenticateheader always wins in the browser, which makes the user-facing experience confusing on a resource that is explicitly configured to use SSO.This behavior used to be SSO-priority earlier (Basic-Auth headers were accepted when the client proactively sent them, but no Basic challenge was emitted on no-auth requests). Filing this as a regression.
Environment
To Reproduce
<key>,full-domain,portas appropriate):pangolin-newtso the blueprint syncs.curl -i https://example.com/→ returnsHTTP 401withWWW-Authenticate: Basic realm="pangolin". Body contains an SSO redirect fallback.curl -i -u automation:<password> https://example.com/→ 200 OK (Basic-Auth bypass works).https://example.com/in a browser → native Basic-Auth dialog appears, not the SSO login page.Same behavior when Header-Auth is set via the REST API (
POST /v1/resource/{id}/header-auth) — but that variant is wiped on the next blueprint reconciliation, so blueprint labels are the only persistent option.Expected Behavior
When both
auth.sso-enabled=trueandauth.basic-auth.*are set, SSO should be the primary auth path for browsers:302redirect to the SSO login page (current SSO-only behavior).WWW-Authenticate: Basicheader in 401 responses, so browsers don't pop a Basic dialog ahead of the SSO redirect.Authorization: Basic …, so tooling/CI/curl with a stored credential keeps working.A minimal switch to control this (any of the following would solve it):
auth.basic-auth.challenge=false(default when SSO is also enabled) that suppresses theWWW-Authenticateheader but keeps accepting incoming Basic credentials.auth.sso-enabled=true, do not emitWWW-Authenticate: Basicon no-auth responses.auth.basic-auth.modelabel with valuesprimary(current behavior) andbypass(proposed default).