Authentication with headers without login screen

[mark-00]

In test setups we use Dancer2::Plugin::Auth::Extensible::Provider::Config and access the Dancerapp directly

In production enviroments we run Dancer2 behind an apche server. Authentication is also done by the apache server. For instance using Shibboleth. Typically the apache server sets some headers like X-Forwarded-User or X-Auth-User.

I wrote a Dancer2::Plugin::Auth::Extensible::Provider::Header that can pick up the username and roles from the headers in the request. The problem is that I don't find an entry point in the authentication code without going through a login screen. Standard a redirect to /login is done. It 's possible to change it to a post using "login_without_redirect". But I want no login screen. I just need to creat a session based on the header values

I now set the login login in the beforehook of my dancer app. But this is something that has to be added going from test to production. I want this functionality in the Dancer2::Plugin::Auth::Extensible::Provider::Header plugin. How can I implement this ?

hook 'before' => sub {
session logged_in_user => 'myusername'; # is picked up from a header.
session logged_in_user_realm => 'shibboleth';
};

get '/secure' => require_login sub {
return logged_in_user;
};

[bigpresh]

Wow, this didn't get responded to for a horribly long time - sorry :(

DPAE/D2PAE were pretty much built around "the session is in a cookie" and I don't think there's anything that would be useful to you for your requirement currently; I suspect the best approach to make your kind of setup work would be a "find a session" hook, or provider method we'd check for and call if provided, which would do whatever would be reasonable to look for a session - of course the default implementation would just be "look for a session cookie", but custom providers could add other stuff, like in your instance "look for a HTTP header set by the webserver".