starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Custom Header for API Authorization #6420

New Issue
Closed
opened 2025-12-29 19:40:30 +01:00 by adam · 9 comments
adam commented 2025-12-29 19:40:30 +01:00
Owner
Copy Link

Originally created by @weidi on GitHub (Apr 28, 2022).

NetBox version

v3.2.0

Feature type

Change to existing functionality

Proposed functionality

Allow changing the Token Authentication keyword to allow more "standard" REST Authentication.

Use case

We try implementing different tools around NetBox but per default e.g. PowerShell or vRealize Orchestrator build the authentication header with "Bearer" instead of "Token" as keyword.

There is a interesting post about the same here and there was another request in #6614 so i wanted to bring this up again for discussion.
https://medium.com/@nico.candela/django-rest-framework-bearer-token-ac6c1dff00ef

Database changes

No response

External dependencies

No response

Originally created by @weidi on GitHub (Apr 28, 2022). ### NetBox version v3.2.0 ### Feature type Change to existing functionality ### Proposed functionality Allow changing the Token Authentication keyword to allow more "standard" REST Authentication. ### Use case We try implementing different tools around NetBox but per default e.g. PowerShell or vRealize Orchestrator build the authentication header with "Bearer" instead of "Token" as keyword. There is a interesting post about the same here and there was another request in #6614 so i wanted to bring this up again for discussion. https://medium.com/@nico.candela/django-rest-framework-bearer-token-ac6c1dff00ef ### Database changes _No response_ ### External dependencies _No response_
adam added the type: featurepending closurestatus: under review labels 2025-12-29 19:40:30 +01:00
adam closed this issue 2025-12-29 19:40:30 +01:00
adam commented 2025-12-29 19:40:31 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Apr 28, 2022):

django-rest-framework supports changing the keyword (the token part of the auth header), which we could make customizable pretty easily by just setting the keyword here:

a1c1532614/netbox/netbox/api/authentication.py (L12)

Changing the header entirely is not supported and a request to add it was rejected. To support it we would have to override the authenticate method, which might be fine as we are already overriding the authenticate_credentials method.

Not sure I like the change from a HTTP spec standpoint and I'm kind of inclined to pass the blame the tools your are using.

As a sidenote I'm a little confused about you mentioning PowerShell. It should be very possible to send whatever you want in the Authorization header when using Invoke-WebRequest.

That being said, I Jeremy signs off on it, I don't mind implementing it. Either option should be easy to implement.

@kkthxbye-code commented on GitHub (Apr 28, 2022): django-rest-framework supports [changing the keyword](https://github.com/encode/django-rest-framework/commit/ffdac0d93619b7ec6039b94ce0e563f0330faeb1) (the token part of the auth header), which we could make customizable pretty easily by just setting the keyword here: https://github.com/netbox-community/netbox/blob/a1c1532614237cde735e85a3a4502ce5a2834a35/netbox/netbox/api/authentication.py#L12 Changing the header entirely is not supported and a [request to add it was rejected](https://github.com/encode/django-rest-framework/issues/7605). To support it we would have to override the authenticate method, which might be fine as we are already overriding the authenticate_credentials method. Not sure I like the change from a HTTP spec standpoint and I'm kind of inclined to pass the blame the tools your are using. As a sidenote I'm a little confused about you mentioning PowerShell. It should be very possible to send whatever you want in the Authorization header when using Invoke-WebRequest. That being said, I Jeremy signs off on it, I don't mind implementing it. Either option should be easy to implement.
adam commented 2025-12-29 19:40:31 +01:00
Author
Owner
Copy Link

@weidi commented on GitHub (Apr 28, 2022):

I´m totally on your side that it´s for sure a tools problem that there is not enough flexibility on some tools but e.g. powershell is need that custom header built around the request.

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", 'Token ThisIsTheRandomAPIToken')
$headers.Add("Content-Type", 'application/json')
$headers.Add("Accept", 'application/json')
# Fetch information about host
$result = (Invoke-RestMethod -Uri $api_base_url/dcim/sites/?name=$($SiteShortcut.ToLower()) -Headers $headers).results[0]

Think changing the token completely is breaking too much stuff around it but allowing both Token or Bearer as keyword would instantly generate value for all use cases.

@weidi commented on GitHub (Apr 28, 2022): I´m totally on your side that it´s for sure a tools problem that there is not enough flexibility on some tools but e.g. powershell is need that custom header built around the request. ```powershell $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", 'Token ThisIsTheRandomAPIToken') $headers.Add("Content-Type", 'application/json') $headers.Add("Accept", 'application/json') # Fetch information about host $result = (Invoke-RestMethod -Uri $api_base_url/dcim/sites/?name=$($SiteShortcut.ToLower()) -Headers $headers).results[0] ``` Think changing the token completely is breaking too much stuff around it but allowing both Token or Bearer as keyword would instantly generate value for all use cases.
adam commented 2025-12-29 19:40:31 +01:00
Author
Owner
Copy Link

@SirVlad commented on GitHub (Apr 29, 2022):

I would support this request as it will be compliant with the RFC for OAuth2
https://datatracker.ietf.org/doc/html/rfc6749#section-7.1

@SirVlad commented on GitHub (Apr 29, 2022): I would support this request as it will be compliant with the RFC for OAuth2 https://datatracker.ietf.org/doc/html/rfc6749#section-7.1
adam commented 2025-12-29 19:40:31 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Apr 29, 2022):

@SirVlad - Not sure I follow, as we are not using OAuth for API access in netbox.

@kkthxbye-code commented on GitHub (Apr 29, 2022): @SirVlad - Not sure I follow, as we are not using OAuth for API access in netbox.
adam commented 2025-12-29 19:40:31 +01:00
Author
Owner
Copy Link

@SirVlad commented on GitHub (Apr 29, 2022):

@SirVlad - Not sure I follow, as we are not using OAuth for API access in netbox.

I just wanted to mention that the word "bearer" is used in many Rest Authentication Token implementations like OAuth.
bearer I think is more common.

@SirVlad commented on GitHub (Apr 29, 2022): > @SirVlad - Not sure I follow, as we are not using OAuth for API access in netbox. I just wanted to mention that the word "bearer" is used in many Rest Authentication Token implementations like OAuth. bearer I think is more common.
adam commented 2025-12-29 19:40:32 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (May 2, 2022):

A Bearer token is a specific type of token (I am not going to dive too deep in it) and typically where you see a Bearer token is where there is a token workflow (request token, access token, etc) to help differentiate between the token types in the workflow.

I believe it is almost exclusively a OAuth construct and not used outside of that.

@DanSheps commented on GitHub (May 2, 2022): A Bearer token is a specific type of token (I am not going to dive too deep in it) and typically where you see a Bearer token is where there is a token workflow (request token, access token, etc) to help differentiate between the token types in the workflow. I believe it is almost exclusively a OAuth construct and not used outside of that.
adam commented 2025-12-29 19:40:32 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (May 12, 2022):

I don't see any compelling use case here. The Token keyword is defined by default in Django REST Framework and no one has provided a good reason why it might need to be changed. If you're not able to craft an HTTP request with the necessary header, it's likely because the tool your using wasn't meant to be used in that way.

@jeremystretch commented on GitHub (May 12, 2022): I don't see any compelling use case here. The Token keyword is defined by default in [Django REST Framework](https://medium.com/@nico.candela/django-rest-framework-bearer-token-ac6c1dff00ef) and no one has provided a good reason why it might need to be changed. If you're not able to craft an HTTP request with the necessary header, it's likely because the tool your using wasn't meant to be used in that way.
adam commented 2025-12-29 19:40:32 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jul 12, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Jul 12, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).
adam commented 2025-12-29 19:40:32 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Aug 12, 2022):

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.

@github-actions[bot] commented on GitHub (Aug 12, 2022): This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label pending closure status: under review type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#6420
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?