Accessing the Web Service API through a proxy

Haro Thierrij shared this question 25 days ago
Awaiting Reply

One of our customers have an environment with the following configuration:

  • Yellowfin is installed in Docker containers.
  • The yellowfin environment is accessible through a Traefik Proxy.
  • To access Yellowfin, you first have to login to the proxy. Then you can login into Yellowfin.
  • For the end-users, Yellowfin sso is enabled.

This works fine for the end-users, they can login into the proxy and then use Yellowfin.

We now want to use the Web Service API to automise some processes. In order to access the API, we first have to login to the proxy, and then the proxy will forward the request to Yellowfin. The authentication of the proxy is possible by using the authentication header "Authorization", which works fine. But then we have to authenticate to Yellowfin, which also requires the "Authorization" header. It isn't possible to send 2 authorization headers in the request (one for the proxy and one vor Yellowfin), so we cannot use the API at this moment.

Are there other possibilities to authenticate to the API? Maybe by sending the authorization header with an other name, or using a cookie, or something else?

Comments (3)

photo
1

HI Haro,

Thanks for reaching out to support with your question.

So this type of integration assistance would be out of scope for support technically; we can provide personalized help here with our consulting partners, I can reach out to an account manager on your behalf to set something up if you'd like.

That said, this does sound like a potential dev request, i.e "Yellowfin Web Service API calls don't work with traefik authentication, due to identical header parameters" - does this sound right? I may be able to get this logged and tested, maybe you have screenshots or documentation that better illustrates this conflict?

What I could also do is request an update to our Docker documentation that includes API / proxy configuration details -

https://wiki.yellowfinbi.com/display/yfcurrent/Install+And+Deploy+Yellowfin

Would this be something you'd be interested in?

If the issue is these 2 identical headers not working, maybe there's a way to "combine" the SSO so only 1 "authentication" header gets passed? I'm not an integration specialist, but that would be a potential path forward here I believe. Maybe you can find a traefik feature to "delegate" this.

https://doc.traefik.io/traefik/middlewares/http/forwardauth/

You also may have success with a API change, JSAPI versus SOAP for example. Let me know how you'd like to proceed with this.

Thanks,

Eric

photo
1

Hi Eric,


Thanks for your investigation and reply.


I've attached a screenshot of Postman to explain the issue. In order to authenticate to the Proxy, we need to pass the Authorization and Permission headers that are active in the screenshot. But to authenticate to Yellowfin, we also need to pass the Accept and Authorization header that are inactive in the screenshot.


We've tried to combine the authentication headers, but the Traefik proxy doesn't accept it.


The customer also did some investigation about an easy solution at the Treafik proxy, but didn't find it. The page you mentioned is about forwarding the proxy authentication to another application, maybe that will work than they have to create there own authentication provider.


For now we only want to be sure there is no "easy solution" for the problem, there is no need to create a dev request. When there isn't a easy solution, the customer will develop a custom solution at the Proxy site.


Thanks,


Haro

photo
photo
1

Hi Haro,

Thanks for the reply here, what I can do is have a quick discussion about this with my consultant friend Edgar at our meeting next week, he should have an idea or a definitive answer at least. My hunch is that this will require a little legwork in the end though.... do you know whether there is any extended service time available in your contract? You can reach out to an account manager and possibly schedule a meeting on this if so.

Thanks,

Eric

photo
1

Hi Haro,

Apologies for the delay here, I forgot my consultant meeting occurred on a US holiday last week. I can follow up on this later this week, let me know if you're able to schedule ES time on this as well.

Thanks,

Eric