Skip to content

awx remote user authentication issue #16109

New issue
New issue
Open
Open
awx remote user authentication issue#16109
Labels
communityneeds_triage
@jinsli

Description

@jinsli
jinsli
opened on Sep 28, 2025

Hi All,

I'm trying to enable and verify "Remote User Authentication" in AWX by passing user identity through HTTP headers (e.g. 'X-Auth-Request-User')

I have several questions regarding:

  • How is the Remote User authentication mechanism triggered in AWX?
  • How to bypass external auth providers (such as SSO) to test remote user authentication
  • What exact configurations are required
  • How to properly test this setup (e.g., via curl)

Here is the Background / Setup

  • AWX version: 24.6.1
  • AWX Operator version: 2.19.1
  • Deployment: Kubernetes (via AWX Operator)
  • Goal: Pass user identity through a header and have AWX trust it for authentication and authorization

And configured the AWX CR extra_settings as follows:


extra_settings:
  - setting: MIDDLEWARE
    value: '[
...
      "django.contrib.auth.middleware.RemoteUserMiddleware"
    ]'

  - setting: REMOTE_USER_HEADER
    value: '"HTTP_X_AUTH_REQUEST_USER"'

  - setting: AUTHENTICATION_BACKENDS
    value: '[
      "django.contrib.auth.backends.RemoteUserBackend",
      "awx.sso.backends.TACACSPlusBackend",
      "awx.main.backends.AWXModelBackend"
    ]'

espite this, when sending the curl request, the response is:

HTTP/2 401 
{"detail":"Authentication credentials were not provided. To establish a login session, visit /api/login/."}

Debugging Output

To confirm the configuration was correctly loaded, I entered the awx-web container and ran:

>>> from django.conf import settings

>>> print("REMOTE_USER_HEADER:", settings.REMOTE_USER_HEADER)
REMOTE_USER_HEADER: HTTP_X_AUTH_REQUEST_USER

>>> print("AUTHENTICATION_BACKENDS:", settings.AUTHENTICATION_BACKENDS)
['django.contrib.auth.backends.RemoteUserBackend', 'awx.sso.backends.TACACSPlusBackend', 'awx.main.backends.AWXModelBackend']

>>> print("\n".join(settings.MIDDLEWARE))
# ... (middleware list as configured above)

Everything seems to be loaded as expected, but Remote User auth does not appear to be triggered.

If there is any official documentation or example configuration (especially for AWX Operator-based setups), I would greatly appreciate it if you could share.

Metadata

Metadata

Assignees

No one assigned

    Labels

    communityneeds_triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions