LoginScene.show() probes for existing authentication with credentials: 'omit' to avoid the browser's native Basic Auth dialog on 401.
This breaks SSO setups using type = http_x_remote_user with a cookie-based reverse proxy (oauth2-proxy in my case): the session cookie is never sent, the proxy can't inject X-Remote-User, and Radicale returns 401 — so the Login screen appears even though the user is already authenticated.
Changing to credentials: 'include' fixes this. I think modern browsers' SameSite=Lax default already prevents the CSRF concern, and with http_x_remote_user Radicale never sends WWW-Authenticate: Basic so no dialog appears.
Would it make sense to change this to 'include', or add a server-side hint (e.g. a response header) that the web UI could use to decide?
LoginScene.show() probes for existing authentication with credentials: 'omit' to avoid the browser's native Basic Auth dialog on 401.
This breaks SSO setups using type = http_x_remote_user with a cookie-based reverse proxy (oauth2-proxy in my case): the session cookie is never sent, the proxy can't inject X-Remote-User, and Radicale returns 401 — so the Login screen appears even though the user is already authenticated.
Changing to credentials: 'include' fixes this. I think modern browsers' SameSite=Lax default already prevents the CSRF concern, and with http_x_remote_user Radicale never sends WWW-Authenticate: Basic so no dialog appears.
Would it make sense to change this to 'include', or add a server-side hint (e.g. a response header) that the web UI could use to decide?