I recently wrote a question about bokeh security on stack overflow.
The answerer gave me good advice about the use of bokeh secret keys and signed sessions. But it isn’t enough security for our purposes. As he said,
Is this enough to completely secure things? Technically anyone who can access the connection string sent to the browser could extract the signed session id [and fake an Origin header]…
…As a last comment, you could probably also (additionally) put the bokeh server URL behind an authenticating proxy of some sort… Tho I am not sure exactly what that would look like offhand. That would be better discussed on the Discourse.
This is what we’d like to do. You can see from the original question that we’re using Flask to route users to various bokeh servers running in the background. So, using apache we’d like to authenticate the users before they reach the flask app and only allow access to the bokeh servers once a user is authenticated and their identity is known.
How do we solve for this?