starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Comma separated, quoted strings as REMOTE_AUTH_ #5539

New Issue
Closed
opened 2025-12-29 19:29:08 +01:00 by adam · 4 comments
adam commented 2025-12-29 19:29:08 +01:00
Owner
Copy Link

Originally created by @FOTempel on GitHub (Oct 20, 2021).

NetBox version

v3.0.7

Python version

3.9

Steps to Reproduce

I'm building an SSO solution to Netbox. It took me a while to get to the point I can actually log in with an AD user using ADFS, but I managed to do it. But now I arrived at the permissions. For now I just need admin users, so I have one group dedicated to it, lets name it ADNetboxAdmins. I'm a member of said group in AD.

The oauth2 proxy I use is vouch-proxy (which is pretty much the only one that'll work anyway, at least against ADFS) passes on the group claims using HTTP headers, as expected. Except the content of the header is a comma separated list of quoted strings. And this seems to be a problem for Netbox as it doesn't pick up my group membership:

Groups are ['"somegroup"', '"someothergroup"', '"ADNetboxAdmins"']
trying to authenticate someuser with groups ['"somegroup"', '"someothergroup"', '"ADNetboxAdmins"']
Stripping user someuser from Groups
Superuser Groups: ['"ADNetboxAdmins"']
Superuser Users: []
User someuser is in Groups:set()
User someuser in Superuser Users :set()
User someuser is Superuser: False
Superuser Groups: ['"ADNetboxAdmins"']
Superuser Users: []
User someuser is in Groups:set()
User someuser in Superuser Users :set()
User someuser should be Superuser: False
Superuser Groups: []
Staff Users :[]
User someuser is in Groups:set()
User someuser in Staff Users :set()
User someuser is Staff: False
Superuser Groups: []
Staff Users :[]
User someuser is in Groups:set()
User someuser in Staff Users :set()
User someuser should be Staff: False

The request that comes from Nginx after logging in with oauth looks kinda like this:

X-Real-IP: 10.60.8.228
X-Forwarded-For: 10.60.8.228
X-Forwarded-Proto: https
Remote-User: someuser
Remote-User-Groups: "somegroup","someothergroup","ADNetboxAdmins"
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.56
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
Accept-Encoding: gzip, deflate, br
Accept-Language: nl
Cookie: VouchCookie=H4<morejunk>

Basically, it's this issue.

Sure I could do very funky things with nginx and reparsing headers which requires a bunch of additional components and custom scripting, but I prefer this problem to be solved in the application as it's apparently an implementation of multivalued headers that needs to be done right, or whatever. You're already dealing with separators through REMOTE_AUTH_GROUP_SEPARATOR, might as well deal with a list of quoted strings too, no?

Reproduce:

  • Set up authentication in Netbox using Nginx and vouch-proxy against a Microsoft ADFS (this should keep you busy for a while to get going, as a start, see: https://questionable.one/post/secure-netbox-with-oauth2/)
  • Make sure to also pass on the groups claims
  • Configure Netbox with the additional REMOTE_AUTH options required to deal with groups. I have this:
REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_BACKEND='netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_GROUP_SYNC_ENABLED=True
REMOTE_AUTH_AUTO_CREATE_USER=True
REMOTE_AUTH_SUPERUSER_GROUPS=['"ADNetboxAdmins"']
REMOTE_AUTH_HEADER='HTTP_REMOTE_USER'
REMOTE_AUTH_GROUP_HEADER='HTTP_REMOTE_USER_GROUPS'
REMOTE_AUTH_GROUP_SEPARATOR=','

Note, yes, I also tried REMOTE_AUTH_SUPERUSER_GROUPS=['ADNetboxAdmins']

  • Configure Netbox to do some extra logging so you catch stuff as it happens
  • Try to log in through what you just built and watch the logs

As it's quite involved getting any of this to work, I'm more than happy to test any solutions anyone can come up with. It would probably be some parsing magic in the _get_groups function, here. The right thing to do would be to fix it myself and do a PR, but I really can't be bothered to jump through all the hoops to do so, let alone the fact I detest Python with a passion. But maybe we'll get lucky and it's only a configuration error on my end, in which case I'd also happily be told so.

Expected Behavior

Netbox honoring whatever agreed upon format of information passed on as multivalued HTTP header, which seems to be comma separated quoted strings.

Observed Behavior

Netbox ignores everything involving groups and their permissions.

Originally created by @FOTempel on GitHub (Oct 20, 2021). ### NetBox version v3.0.7 ### Python version 3.9 ### Steps to Reproduce I'm building an SSO solution to Netbox. It took me a while to get to the point I can actually log in with an AD user using ADFS, but I managed to do it. But now I arrived at the permissions. For now I just need admin users, so I have one group dedicated to it, lets name it ADNetboxAdmins. I'm a member of said group in AD. The oauth2 proxy I use is [vouch-proxy](https://github.com/vouch/vouch-proxy/) (which is pretty much the only one that'll work anyway, at least against ADFS) passes on the group claims using HTTP headers, as expected. Except the content of the header is a comma separated list of quoted strings. And this seems to be a problem for Netbox as it doesn't pick up my group membership: ``` Groups are ['"somegroup"', '"someothergroup"', '"ADNetboxAdmins"'] trying to authenticate someuser with groups ['"somegroup"', '"someothergroup"', '"ADNetboxAdmins"'] Stripping user someuser from Groups Superuser Groups: ['"ADNetboxAdmins"'] Superuser Users: [] User someuser is in Groups:set() User someuser in Superuser Users :set() User someuser is Superuser: False Superuser Groups: ['"ADNetboxAdmins"'] Superuser Users: [] User someuser is in Groups:set() User someuser in Superuser Users :set() User someuser should be Superuser: False Superuser Groups: [] Staff Users :[] User someuser is in Groups:set() User someuser in Staff Users :set() User someuser is Staff: False Superuser Groups: [] Staff Users :[] User someuser is in Groups:set() User someuser in Staff Users :set() User someuser should be Staff: False ``` The request that comes from Nginx after logging in with oauth looks kinda like this: ``` X-Real-IP: 10.60.8.228 X-Forwarded-For: 10.60.8.228 X-Forwarded-Proto: https Remote-User: someuser Remote-User-Groups: "somegroup","someothergroup","ADNetboxAdmins" Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.56 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90" sec-ch-ua-mobile: ?0 Accept-Encoding: gzip, deflate, br Accept-Language: nl Cookie: VouchCookie=H4<morejunk> ``` Basically, it's [this issue](https://github.com/vouch/vouch-proxy/issues/423). Sure I could do very funky things with nginx and reparsing headers which requires a bunch of additional components and custom scripting, but I prefer this problem to be solved in the application as it's apparently an implementation of multivalued headers that needs to be done right, or whatever. You're already dealing with separators through REMOTE_AUTH_GROUP_SEPARATOR, might as well deal with a list of quoted strings too, no? Reproduce: - Set up authentication in Netbox using Nginx and vouch-proxy against a Microsoft ADFS (this should keep you busy for a while to get going, as a start, see: https://questionable.one/post/secure-netbox-with-oauth2/) - Make sure to also pass on the groups claims - Configure Netbox with the additional REMOTE_AUTH options required to deal with groups. I have this: ``` REMOTE_AUTH_ENABLED=True REMOTE_AUTH_BACKEND='netbox.authentication.RemoteUserBackend' REMOTE_AUTH_GROUP_SYNC_ENABLED=True REMOTE_AUTH_AUTO_CREATE_USER=True REMOTE_AUTH_SUPERUSER_GROUPS=['"ADNetboxAdmins"'] REMOTE_AUTH_HEADER='HTTP_REMOTE_USER' REMOTE_AUTH_GROUP_HEADER='HTTP_REMOTE_USER_GROUPS' REMOTE_AUTH_GROUP_SEPARATOR=',' ``` Note, yes, I also tried `REMOTE_AUTH_SUPERUSER_GROUPS=['ADNetboxAdmins']` - Configure Netbox to do some extra logging so you catch stuff as it happens - Try to log in through what you just built and watch the logs As it's quite involved getting any of this to work, I'm more than happy to test any solutions anyone can come up with. It would probably be some parsing magic in the _get_groups function, [here](https://github.com/netbox-community/netbox/blob/090df051934c88a0ed118694e082afb540b5bb4e/netbox/netbox/middleware.py#L103). The right thing to do would be to fix it myself and do a PR, but I really can't be bothered to jump through all the hoops to do so, let alone the fact I detest Python with a passion. But maybe we'll get lucky and it's only a configuration error on my end, in which case I'd also happily be told so. ### Expected Behavior Netbox honoring whatever agreed upon format of information passed on as multivalued HTTP header, which seems to be comma separated quoted strings. ### Observed Behavior Netbox ignores everything involving groups and their permissions.
adam added the type: bugstatus: needs ownerpending closure labels 2025-12-29 19:29:08 +01:00
adam closed this issue 2025-12-29 19:29:08 +01:00
adam commented 2025-12-29 19:29:09 +01:00
Author
Owner
Copy Link

@FOTempel commented on GitHub (Oct 27, 2021):

@jeremystretch? @MaxRink? Anyone? Some kind of feedback would be appreciated.

@FOTempel commented on GitHub (Oct 27, 2021): @jeremystretch? @MaxRink? Anyone? Some kind of feedback would be appreciated.
adam commented 2025-12-29 19:29:09 +01:00
Author
Owner
Copy Link

@FOTempel commented on GitHub (Nov 5, 2021):

16 days later, I got it to work. Sure, the handling of the header is still a bit wonky with the quotes and separator, but it does work. Turns out I totally misunderstood what REMOTE_AUTH_GROUP_SYNC_ENABLED=True is supposed to do. That's on me, but it also isn't documented very well. Simply creating the group in Netbox with the exact same names as it appears in the list of groups from the IDP (including the quotes) is enough to make me able to login and promote the user who is a member to whatever is needed (superuser, staff or both to actually be able to do anything in Netbox). The model with groups and permissions for those groups especially for admins is a little bit strange, but it's workable.

TL;DR: The solution to Netbox not working with my remote groups was to simply create the group(s) in Netbox too. Does the "bug" still stand? Maybe, but it's not a functionality breaking one now. It's just ugly to have to make double quotes part of the group name(s).

@FOTempel commented on GitHub (Nov 5, 2021): 16 days later, I got it to work. Sure, the handling of the header is still a bit wonky with the quotes and separator, but it does work. Turns out I totally misunderstood what REMOTE_AUTH_GROUP_SYNC_ENABLED=True is supposed to do. That's on me, but it also isn't documented very well. Simply creating the group in Netbox with the exact same names as it appears in the list of groups from the IDP (including the quotes) is enough to make me able to login and promote the user who is a member to whatever is needed (superuser, staff or both to actually be able to do anything in Netbox). The model with groups and permissions for those groups especially for admins is a little bit strange, but it's workable. TL;DR: The solution to Netbox not working with my remote groups was to simply create the group(s) in Netbox too. Does the "bug" still stand? Maybe, but it's not a functionality breaking one now. It's just ugly to have to make double quotes part of the group name(s).
adam commented 2025-12-29 19:29:10 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Feb 9, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Feb 9, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).
adam commented 2025-12-29 19:29:10 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Mar 11, 2022):

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.

@github-actions[bot] commented on GitHub (Mar 11, 2022): This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label pending closure status: needs owner type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#5539
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?