This situation has been foreseen - and this has nothing to do with the authorization flow - the problem as you correctly identified is that NGINX and openHAB share the HTTP Authorization header and that leads to conflicts.
There’s a way to make the openHAB UI use a different header (X-OPENHAB-TOKEN) in those cases, which is to make NGINX set a cookie accessible to JavaScript that will tell it to use a different header to transmit its own authorization credentials, the cookie’s name is X-OPENHAB-AUTH-HEADER, you can set to any value you want as long as it is present. I know that this needs proper documentation but we’ll get there.
So anyway in NGINX putting something like this in your ‘location’ block should work:
Note: from a security perspective, that second line is rather important to include when you’re doing authorization at the reverse proxy level, it ensures the header containing the credentials meant to be exclusively for the proxy, are filtered out and not transmitted (likely in clear text) in the internal network.
Is there a link to the authentication model for OH3 and X-OPENHAB-AUTH-HEADER? A quick search here doesn’t match anything. I’m confused about the authentication support in OH3. I use a webbrowser that doesn’t support Basic Authentication and it would great if OH3 kept a cookie or supported Oauth.
See the current template at https://github.com/openhab/openhabian/edit/master/includes/nginx.conf.
Should I just add another add_header (i.e. line 24) or does it have to be inside the ‘location’ block as @ysc said ? Would I even need another such block ?
OH2 with nginx with Basic Auth - when I open Paper UI or Basic UI I needed to enter login and password same as in /etc/nginx/.htpasswd
on same nginx conf but on OH3 - when I open Openhab Main UI or Basic UI I needed to enter login and password set for administrator from Main UI
now I added SSL to nginx and on OH3 - when I open Main UI or Basic UI I enter login and pass from .htpasswd and also in Main UI addidtional login and pass for administrator.
You would need to create a user other than admin inside OH3, preferrably same name what you use in your oh client app and nginx conf.
Dunno how I think I saw some post here about doing that in Karaf console but I don’t find it any more.
(ping @hmerk I might be mistaken but wasn it you to write that?)
Of course there is if you do not remove it from nginx.
Since you probably want to access without password, you need to create an oh user (and use that on the client side) inside oh3 and disable auth in nginx.