I had this on OH3.5 and through to OH4.1, and it’s beginning to irritate me, so here I am.
I already run Apache 2.4.51 on the box, so I am using this to reverse proxy to OH, and I’m using Basic HTTP authentication over TLS to authorise access from the Internet. I’ve followed the instructions I’ve found in the docs, as well as mixed it up a little bit with things people have recommended on these forums. The relevant bits from my config are thus:
RequestHeader unset Authorization
Header set Access-Control-Allow-Origin *
Header set Access-Control-Allow_Credentials true
Header set Access-Control-Allow-Headers "Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range"
Header set Access-Control-Allow-Methods "GET,POST,OPTIONS,PUT,DELETE,PATCH"
Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=true;path=/;Secure"
This all works fine, and as expected. When I connect from an external IP, I have to provide HTTP authentication, which works, and the page is loaded just fine. I can see that I get the cookie request, and that gets sent back in requests.
Everything is peachy and it all works. Until it doesn’t. After what I assume is half an hour, my authorisation is revoked, and the first I know about is is when I can no longer open the model, or more usually when I try and save the script I’m changing in the UI and it tells me unauthorised in the corner.
For the purposes of this topic, I’m using Edge, as there appears to be a caching bug with Firefox where API responses aren’t invalidated from the cache.
- If I work directly against the OH port, bypassing the proxy, I see the Authorization header holding a Bearer JWT.
- If I work through the proxy, I see the JWT correctly being sent in the “X-Openhab-Token” header field.
- Both tokens have a 30 minute expiry in the JWT.
- A direct session will issue a POST to /rest/auth/token, where a new JWT is returned with another 30 minutes
- The proxied session doesn’t even attempt to make this call
Does anybody know if this is a configuration problem that I can resolve? Is anybody else in this situation where it either does, or does not work?
I’ll raise a bug on GitHub if required, but I didn’t want to unnecessarily.