mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-13 19:54:13 -05:00
[GH-ISSUE #3099] Blueprint auth.basic-auth labels override SSO priority, emit Basic challenge ahead of SSO redirect (regression) #39107
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @strausmann on GitHub (May 17, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/3099
Originally assigned to: @oschwartz10612 on GitHub.
Describe the Bug
When a public resource has both
auth.sso-enabled=trueandauth.basic-auth.user/passwordset via blueprint labels, Pangolin answers an unauthenticated request withHTTP 401+WWW-Authenticate: Basic realm="pangolin"instead of issuing a302redirect to the SSO login page.Result: browsers show the native Basic-Auth login dialog first, and only fall through to the SSO redirect (delivered in the HTML body) if the user clicks "Cancel" on the dialog. The intended UX is the opposite — SSO for browser users, Basic-Auth as a bypass for tooling/CI/curl.
The HTML response body still contains the SSO fallback, but the
WWW-Authenticateheader always wins in the browser, which makes the user-facing experience confusing on a resource that is explicitly configured to use SSO.This behavior used to be SSO-priority earlier (Basic-Auth headers were accepted when the client proactively sent them, but no Basic challenge was emitted on no-auth requests). Filing this as a regression.
Environment
To Reproduce
<key>,full-domain,portas appropriate):pangolin-newtso the blueprint syncs.curl -i https://example.com/→ returnsHTTP 401withWWW-Authenticate: Basic realm="pangolin". Body contains an SSO redirect fallback.curl -i -u automation:<password> https://example.com/→ 200 OK (Basic-Auth bypass works).https://example.com/in a browser → native Basic-Auth dialog appears, not the SSO login page.Same behavior when Header-Auth is set via the REST API (
POST /v1/resource/{id}/header-auth) — but that variant is wiped on the next blueprint reconciliation, so blueprint labels are the only persistent option.Expected Behavior
When both
auth.sso-enabled=trueandauth.basic-auth.*are set, SSO should be the primary auth path for browsers:302redirect to the SSO login page (current SSO-only behavior).WWW-Authenticate: Basicheader in 401 responses, so browsers don't pop a Basic dialog ahead of the SSO redirect.Authorization: Basic …, so tooling/CI/curl with a stored credential keeps working.A minimal switch to control this (any of the following would solve it):
auth.basic-auth.challenge=false(default when SSO is also enabled) that suppresses theWWW-Authenticateheader but keeps accepting incoming Basic credentials.auth.sso-enabled=true, do not emitWWW-Authenticate: Basicon no-auth responses.auth.basic-auth.modelabel with valuesprimary(current behavior) andbypass(proposed default).@github-actions[bot] commented on GitHub (Jun 1, 2026):
This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
@strausmann commented on GitHub (Jun 1, 2026):
?
@AstralDestiny commented on GitHub (Jun 1, 2026):
Mmm should be a 307/308 but will poke the others.
@LaurenceJJones commented on GitHub (Jun 1, 2026):
This is hard to do as using basic auth AFAIK uses the traefik middleware under the hood so we cant control the ordering so ultimately this will trigger before the requests makes it to the pangolin dashboard.
Why? who says this should be so? there might be a user that wants the opposite we so cant really presume what somebody wants
Any reason you could just not use basic auth and just use a shared link instead using the access token approach? https://docs.pangolin.net/manage/access-control/links#use-the-access-token