Hello, I've noticed a small problem when using a custom GenomeBrowser server and having external authentication enabled - Galaxy returns HTTP 403, because of hard-coded values of allowed hosts. The issue was introduced in 1648:682c179a2f84 . My setup might not be very common, so it's not an urgent issue. My setup is: 1. external authentication is enabled in "universe_wsgi.ini": remote_user_maildomain = cshl.edu 2. I use only a local Genome Browser mirror in "universe_wsgi.ini", like so: ucsc_display_sites = cshl I do no have the "main" and "test" links, because my server is on an internal network. The result: Galaxy shows "display at UCSC 'cshl'" link, clicking on that links redirects to my GenomeBrowser server, but when the GenomeBrowser server connects back to my Galaxy server, it gets HTTP 403. Possible cause(s): 1. In "lib/galaxy/web/framework/middleware/remoteuser.py", the list of allowed GenomeBrowser hosts is hard-coded. Adding the my server's name to the list is a workaround. 2. Still in "remoteuser.py", there's a hard-coded check that only enables userless login if the names "main" or "test" appear in the "ucsc_display_sites" INI configuration. As mentioned, I don't have either "main" or "test", so that check fails, and "self.allow_ucsc_main" remains "False". Adding the name of my site to the "if" is a workaround. The attached patch is a hard-coded workaround (just for my server) - use it as an example if you're in a similar situation. I guess a more modular fix is complicated, taking into account all possible scenarios (and the new "bx_display_sites" which is not even used in "remoteuser.py"). -gordon