SWG Upstream Credentials Forwarding - Basic, bearer and JSON Web Token
Article ID: 378384
Updated On:
Products
Issue/Introduction
How the SWG handles clients' authentication headers - BASIC credentials, bearer authentication and JSON Web Token (JWT)
Cause
Resolution
The basic rule is that the SWG forwards any credential that it does not consume (refer to SGOS admin manual "authenticate()" property).
Some practical examples, carried out in lab, are the best way to explain the matter.
Clear-text HTTP website "http://httpforever.com/" can be used for testing to see the upstream dialogues (if via HTTPS it would be encrypted). Please do not carry out the same tests in production.
Standard/default SWG behavior, no client credentials are forwarded upstream:
-
- At the client connect the SWG replies with HTTP 407 authentication required response:
- Client send the credentials and authenticate in the proxy is successfully:
- The same credentials are "consumed" by the SWG and not forwarded upstream:
The default behavior can be overridden thanks to "server.authenticate.basic()" gesture, CPL example for the above test:
("authenticate to an upstream server using the user's BASIC credentials")
; *** Forward Credentials to "httpforever.com" CPL ***<Proxy>
url.host.exact="httpforever.com" server.authenticate.basic(origin); ***
Outcome:The same "client <> SWG" authentication process as per the above, but, in this case, the user credentials are also sent to the web-server:
- At the client connect the SWG replies with HTTP 407 authentication required response:
Regarding bearer authentication and JSON Web Token (JWT) forwarding; it can be tested thanks to a POST to the same website from client app Postman:
The SWG authenticate the user thanks to the usual process but it does not "touch" the bearer tokens:
- Client to SWG:
- SWG to WebApp:
- The same is for JWT:
Feedback
