View Issue Details

IDProjectCategoryView StatusLast Update
0022398mantisbtauthenticationpublic2018-02-20 05:24
Reporterarrfab Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version2.1.0 
Summary0022398: HTTP_AUTH not working

Was trying to force HTTP_AUTH for mantisbt, (as
but it doesn't seem to work
Then I realized that in the doc, there is a TODO (

Does that mean that it's not yet implemented ? Also the doc is still 1.3 while product is now 2.1.0 (needs another bug report ?)

In fact, we (CentOS Project) don't even want to rely on HTTP_AUTH, but rather on openid, but while I found some bug reports for that, it seems there is still nothing implemented.
So my "workaround" was at least to offload the auth to HTTP_AUTH, with apache using mod_auth_openid.
mod_auth_openid asks for user/pass and validates (as we use that for other web apps) but mantis doesn't seem to even use it.

Can we get clarification if that is supposed to work or not ? (while also waiting for openid plugin to work too)

Thanks a lot for your work !

TagsNo tags attached.




2018-02-15 13:06

reporter   ~0058882

IMHO (after hours of patching MantisBT sources) current version doesn't support HTTP_AUTH and simply ignores _SERVER['REMOTE_USER'] variable with user name authenticated via web-server.



2018-02-18 14:07

reporter   ~0058930

I created a pull request to fix this issue:



2018-02-19 04:12

manager   ~0058939

Thanks @raspopov for the PR and your bug report.

We have added support for auth plugins in 2.3.0 release. So you should consider to upgrade to latest to get that. To get more details about the auth plugin model, checkout the following:

The goal is to move more towards plugins and less auth schemas embedded in the core of MantisBT.

As for the HTTP_AUTH, thanks for the PR. Will hopefully provide feedback soon.



2018-02-20 05:24

reporter   ~0058975

Good to know that there is now a way to have http_auth working, but it seems that it will not be merged into mantis core
in fact, in my initial test, I wanted to use openid or openidc (so oauth2) but it doesn't seem to work either (and no plugin to be found, despite multiple requests for that in the last years)
so my idea was to use mod_auth_openid for apache, and so transparently use it for http_auth for mantis.

Issue History

Date Modified Username Field Change
2017-02-17 06:27 arrfab New Issue
2018-02-15 13:06 raspopov Note Added: 0058882
2018-02-18 14:07 raspopov Note Added: 0058930
2018-02-19 04:12 vboctor Note Added: 0058939
2018-02-20 05:24 arrfab Note Added: 0058975