I am looking to be able to POST the URL, username and password to the Browser to get it to seamlessly authenticate.
I should add that what I'm looking to achieve is to pass a JWT in the password which will be validated by a custom auth provider.
However, the Browser uses React and the login form, as far as I can tell, is just initializing the JS bolt connection internally within the JS runtime.
It does appear that there is some functionality in the E2E tests that might facilitate this with Cypress, but that looks like a test-time only solution.
The following is a GET, obviously, but it illustrates what I'm trying to achieve:
This has been a super long time. Have you made progress here?
We used to sorta implement this with the Sandbox. We have a custom auth provider that validates JWTs. However, we passed the JWT into https://myserver:7473/ (which our proxy handled instead of passing that URL into Neo4j). On that page, we set the browser Local Storage objects with the credentials on that host, which were then picked up by the browser when we redirected to the browser.
To eliminate some complexity (old JWTs timing out etc), we changed to a model where the JWT token is still passed to a page on the root of the Neo4j host, but the JavaScript there makes an API call to retrieve the actual Neo4j credentials and do the same setting of Local Storage before a redirect-- but using the actual credentials.
I think that if there was a url on the browser's HTTP(s) endpoint that accepted bolt URL, username, password, and a next URL, that a lot of this would be easier for customers.
The server could respond with nothing more than some javascript that sets the local storage in the browser, and then bounce along to the next page. It looks like simply writing the following JSON into the "neo4j.connections" local storage object would do the trick:
This could almost accomplished with an unmanaged server extension but I'm not sure if there is an option for those extensions to respond without authentication. Do you know if there is?
In any case, I think this would go a long way to making Neo4j more accessible inside an enterprise environment.
Have also considered writing an HTTP+BOLT proxy to facilitate all of this. I guess that's what you did for the Sandbox. Before BOLT came around, we did this for the HTTP(s) endpoint and it worked pretty well, since our app could decide whether to send the request to neo4j based on the session state that it already has. BOLT makes this a bit more complicated.
It looks like Nigel Small put a PoC for this together in python:
Just responded to @d.murali in another thread, but there is a way to pass in credentials for the browser.
Take a look here:
I haven't yet tried to do this with a JWT, but I don't see why it wouldn't work. Certainly would be more secure (due to time limitation) than passing a password.
As far as a proxy is concerned, we just use NGINX for the websocket proxying for the sandbox. This works for websocket bolt connections (used by the JavaScript driver), but doesn't seem to be functional for regular bolt connections from other Drivers. I haven't yet investigated why...
Is there any way to encrypt the password and send in the url query string.
Or authenticate it from/using Javascript by changing the session/localstorage.
In my requirement I would be navigating to the neo4j browser url from a reactjs application,
it would be better If there is a provision of authenticating it from a Javascript file.
