Access to HTML Header?

bviviano · April 7, 2025, 5:49pm

Hello,

We’re injecting X- headers from our Apache configuration that contain user additional information (GECOS, Email, etc) but I can’t find a good example of how I can access those headers from OOD, for populating default information in a form.

Specifically for we have the following in ood_portal.yml as part of our authentication process with LDAP/Active Directory:

  - 'RequestHeader set X-WEBAUTH-EMAIL %{AUTHORIZE_MAIL}e'
  - 'RequestHeader set X-WEBAUTH-FULLNAME %{AUTHORIZE_DISPLAYNAME}e'
  - 'SetEnv OOD_USER_EMAIL %{AUTHORIZE_MAIL}e'
  - 'SetEnv OOD_USER_FULLNAME %{AUTHORIZE_DISPLAYNAME}e'

I’d like to use either the X-WEBAUTH header or OOD_USER_ values inside an OOD form, and do something like follows:

support_ticket:
  attributes:
    email:
      widget: email_field
      value: "<%= ENV['OOD_USER_EMAIL'] %>"

I’ve tried using request.headers["X-WEBAUTH-EMAIL"] (with causes an error because request is not available) along with ENV['OOD_USER_EMAIL'] without success. I can see where it would be useful/valuable to be able to pass arbitrary data like this from our central authentication system (LDAP / Active Directory / Kerberos) through to the OOD PUN, to be used in a form.

I know the X-WEBAUTH headers are being passed to the PUN correctly. I use them with a ttyd interactive app for Authentication via SSO, but I can’t figure out how to correctly get the Ruby code to be able to query them from YAML in /etc/ood/config/ondemand.d.

Thanks!

jeff.ohrstrom · April 7, 2025, 5:55pm

SetEnv doesn’t really work like that. It’s not an actual environment variable (in the threads’/processes’ environment), it’s more like an internal apache environment variable (internal to that apache worker).

Right now I don’t know if we have a clear way to access things like email addresses.

bviviano · April 7, 2025, 5:59pm

Is there a way to access an injected header? Being able to pull X-WEBAUTH-EMAIL from a YAML file like

<%= request.headers["X-WEBAUTH-EMAIL"] %>

would also work.

I know I can always do something like this:

<%-
emailcmd = '/bin/mailLookup.sh ’ + ENV[“USER”]
emailaddr = %x[ #{emailcmd}]
-%>

But since Apache knows the data and it is being passed to the PUN, I wanted to try and make it a little cleaner and not have to spawn a command just to pull in the email I already have.

jeff.ohrstrom · April 7, 2025, 6:01pm

I can’t say for sure. I don’t know what all contexts the request object could be in.

bviviano · April 7, 2025, 6:03pm

It certainly isn’t inside /etc/ood/config/ondemand.d/*.yml, which is where I am trying to use it.

Does OOD maybe process and cache all HTML headers someplace? So if there is an X- header injected, is it parsed/stored in a array or hash someplace along with all the other Headers, that I can get access too?

jeff.ohrstrom · April 7, 2025, 6:07pm

Yea they’re definitly not there in the config as that’s not part of any request, it’s just a part of the boot stack.

If you can get access to any headers, you’d have to do so in the form.yml.erb or submit.yml.erb.

bviviano · April 7, 2025, 6:20pm

Ok, well, I am trying to automatically inject email value into the support_ticket form, is there a recommended way to capture that?

anderss · April 8, 2025, 1:22pm

This is my extremely low-tech way of doing it:

support_ticket:
  attributes:
    username:
      value: "<%= CurrentUser.name %>"
      readonly: true
    email:
      value: "<%= CurrentUser.name %>@university.edu"
      widget: email_field
      required: true

This only works because we only provide access to members of university.edu, so you’d need to come up with something more robust if you have a multi-tenant OOD deployment.

I am a big proponent of configuration profiles, and support_ticket is one of the properties that you can configure on a per-profile basis. If you did have two institutions and each had their own OOD Dashboard, then it would be easy to hard-code the @university.edu value for each profile. Again – very low-tech.

bviviano · April 10, 2025, 3:07pm

Thanks, that won’t work at our site, usernames and email addresses are not at all connected to each other like that. I just ended up doing:

<%-
emailcmd = "/usr/local/bin/getmail.pl " + ENV["USER"]
emailaddr = %x( #{emailcmd} )
%>
....
    email:
      widget: email_field
      readonly: true
      value: "<%= emailaddr %>"
...

The getmail.pl script is something I wrote that will take the username, query Active Directory and return the email address to stdout. Which works well enough, was just hoping to avoid needing to shell out an external command.

Thanks!

anderss · April 11, 2025, 2:01pm

Gotcha. This could also be a good case for initializers, where your script would only be invoked upon initial log-in or when restarting the PUN. I’m not sure how often the ondemand.d files get called, but it would be something to monitor if you see your AD being queried too often.

Topic		Replies	Views
Simple Portal Auth from Header (Provided by reverse Proxy) [SOLVED] Feature Requests and Roadmap Discussion feature-request	9	3431	May 26, 2022
Ondemand 3.0.0 and Xdmod 10.0.2-2.0 integration problems Get Help	9	689	February 17, 2024
How can I pass OIDC_CLAIM_EMAIL value to my applications? Get Help	3	1034	May 9, 2023
Nicer auth interface for PAM authentication? Get Help question	5	355	December 6, 2022
Authenticate with mod_auth_openidc and bearer token Get Help question	5	2471	August 22, 2022

Access to HTML Header?

Related topics