basic-auth doesn't work with Chrome

J B June 6, 2019

Some information about the structure behind my self-hosted Confluence Wiki: Confluence itself runs in a Docker Container (official Docker image from Atlassian), it's secured by a reverseproxy with mod_secure and basic-auth. There are no errors on the reverseproxy error log (including mod_secure logs) or in the confluence logs. Additionally, the plugin Secure Login (2FA) by Syracom AG is also installed with some software OTP tokens.

The problem only occurs with Google Chrome (also tested with Mozilla Firefox and Microsoft Edge, all with and without cache/ private mode) and only with non-administrator/ non-2FA users. After authenticating at the reverse proxy via basic-auth and authenticating at confluence with normal user credentials, the reverse proxy immediately asks for authenticating again via basic-auth. The problem occurs also when I first login with an administrator, log off and log on with a non-administrator/ non-two-factor-auth user.

All software versions are up to date (Confluence 6.15.4).

Thank you in advance for any advice which might be a solution.

If you need any further technical information about the setup, just ask.

 

UPDATE
When I reload the start page from a non-admin/non-2FA user, my browser console shows one 404 error and one 401 error. The 401 error (authentication required) leads chrome to discard known basic-auth credentials for the site. Firefox and Edge seem to ignore the 401 error, as long as they can load other ressources of the site. The 401 error is generated by some API access. How can I prevent that? According to my tests the 401 error only occurs with non-administrator users, so the 2FA plugin has probably nothing to do with the HTTP error.

1 answer

1 accepted

0 votes
Answer accepted
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 20, 2021

@J B , this is a rather old post. I as wondering if this is still occurring and if not did you discover the cause?

J B February 21, 2022

The issue was fixed by changing the reverse proxy configuration. We didn't discover the root cause.

The issue was probably fixed with these parameters in the apache VirtualHost:

RequestHeader unset Authorization
Header always edit WWW-Authenticate ^Basic SR_Basic

As written above, I don't know exactly wether this has fixed the issue or which side effects come with it. Paste with caution :-)

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events