openvpn-gui icon indicating copy to clipboard operation
openvpn-gui copied to clipboard
verified publisher icon OpenVPN

Import from Access Server doesn't send basic auth credentials

Open jacopotediosi opened this issue 3 years ago • 6 comments

#436 implemented the "Import from Access Server" feature.

As stated in the OpenVPN WebAuth documentation, the client should send credentials using HTTP Basic Authentication.

OpenVPN-GUI v11.26.0.0 (latest version available in the OpenVPN "Community Downloads" webpage) on Windows 10 seems not to send the Authorization header.

image

jacopotediosi avatar Mar 08 '22 17:03 jacopotediosi

While not familiar with thatr specifric implementation, a lot of HTTP implemention only send the credentials after getting a 401 response. Have you have that the server sends a 401?

schwabe avatar Mar 08 '22 17:03 schwabe

While not familiar with thatr specifric implementation, a lot of HTTP implemention only send the credentials after getting a 401 response. Have you have that the server sends a 401?

You are right, the client sends a second request with the Authorization header if server replied with 401 and a "WWW-Authenticate: Basic" header to the first one. Still, I'm not sure this should be the intended behaviour.

jacopotediosi avatar Mar 08 '22 18:03 jacopotediosi

While not familiar with thatr specifric implementation, a lot of HTTP implemention only send the credentials after getting a 401 response. Have you have that the server sends a 401?

You are right, the client sends a second request with the Authorization header if server replied with 401 and a "WWW-Authenticate: Basic" header to the first one. Still, I'm not sure this should be the intended behaviour.

I think that's how basic auth works -- see rfc 7235. The server responds with 401 (unauthorized) before the client sends the auth header. Anyway, the question is, does it work for you or are you running into some issue? If the latter it could be something other than not sending credentials.

selvanair avatar Mar 08 '22 18:03 selvanair

oops -- rfc 7235

selvanair avatar Mar 08 '22 18:03 selvanair

Responding 401 and setting the WWW-Authenticate header, it works. OpenVPN Connect V3 and many other clients immediately send the authorization header, so I leave this ticket open to let the maintainers decide if this is working as expected or not.

jacopotediosi avatar Mar 08 '22 18:03 jacopotediosi

We use wininet API and it seems to always wait for 401 and authentication header before retrying with the authorization header set. This is in spite of assigning the username and password in the request structure in advance. It may be possible to force-send authorization in the first round by explicitly constructing the header and adding it, but that's ugly. I would leave this as is unless there is a real case where the round-trip hurts or someone comes up with a better way.

selvanair avatar Mar 08 '22 22:03 selvanair