Accessing headers from `curdoc().session_context`

dkapitan · January 28, 2020, 2:49pm

Hi,

For our project we want to pass tokens (JWT) from a Keycloak Gatekeeper, to have access control on the bokeh app. Our initial solution was to pass these tokens via the headers. Bokeh 1.4.0 documentation currently states:

When a session is created for a Bokeh application, the session context is made available as curdoc().session_context . The most useful function of the session context is to make the Tornado HTTP request object available to the application as session_context.request . Due to an incompatibility issue with the usage of --num-procs only the arguments attribute can be accessed. Attempting to access any other attribute on request will result in an error.

Can someone clarify the details on the incompatibility issue and whether this is something that might be fixed in the foreseeable future?

We have successfully managed to access the headers, however, not all headers are accessible.

Bryan · January 28, 2020, 8:35pm

@dkapitan I’m a little pressed for time but TLDR; when --num-procs > 1 the secondary websocket connection can end up on a completely different process than the original HTTP request, in which case the original headers do not exist on the process that the app code runs in. We explicitly tunnel the request args through by hand to make those work.

I can comment more later, but I think you should have a look at #9536 and the associated issues. That work is to add a Bokeh-specific session token for the websocket upgrade, but that could also contain more complete header information than is currently made available.

dkapitan · January 29, 2020, 4:31am

Great, thanks. Will have a look at the issue.

dkapitan · February 18, 2020, 10:32pm

Also related to Bokeh server vs stand alone documents.