MFA / 2FA does not correct send _password via REST
Concerned version
Version: %2.0.16
Platform: (Nginx) | Docker
Summary
An application that is protected via a REST LLNG Handler and are passing headers to the application like so:
-
uid
asREMOTE_USER
-
_password
REMOTE_PASSWORD
Works fine - with the exception of impersonation/context switching, but that is another issue that cannot be resolved.
When using MFA (We have tested with Webauthn) we have found the _password variable is not sent to the Remote LLNG Handler anymore and sends a blank REMOTE_PASSWORD
header to the protected application.
Backends used
Simple system with Portal, Handler, and Manager all on one host, and remote handlers that are connected via REST (previously SOAP) either per service or for each physical machine. Postgresql storage for LLNG Portal, and filesystem storage for REST.
graph TD
LLNGPORTAL(Portal Server) -->LLNGHANDLER(LLNG Remote Handler REST) -->APP(Application)
LLNGHANDLER-->LLNGPORTAL