Bypass the OpenID Authentication for the API user in OTRS

[sagar30051991]

I have configure the openidc setup in OTRS Ticket System Application using Apache.
I want to bypass this Authentication for the Specific API user.
Can you someone please help.

[nneul]

Not sure if it is what you need, but I use this approach to allow certain apps to directly authenticate with basic auth and not do the SSO flows:

<Location /auth-cgi-bin>
    <If "-n req('Authorization')">
        AuthName "whatever"
        AuthType Basic
        AuthBasicProvider ldap-provider-name
        require valid-user
    </If>
    <ElseIf "-n req('X-Disable-AzureAD')">
        AuthName "Another option for fallback"
        AuthType Basic
        AuthBasicProvider ldap-provider-name
        require valid-user
    </ElseIf>
    <Else>
        Require valid-user
        AuthType openid-connect
    </Else>
</Location>

[zandbelt]

Just be aware of the consequences of such a setup: you'll reduce the leverage of (potentially) more secure (e.g. multi-factor) authentication at the Provider to a simple header + password attack. In other words: this is now a weak spot.

[nneul]

Very true... in the case of this, we were just wanting to make it easier for users to move to SSO, less concern about the 'forcing MFA' (even though we do). For the API users, it would probably be much better for us to restrict those two side cases to specific narrow user cases.