Setup sticky session for Kerberos and NTML HTTP Authentication

cloudfoundry / gorouter

CF Router

Apache License 2.0

441 stars 224 forks source link

Setup sticky session for Kerberos and NTML HTTP Authentication #392

Closed mariash closed 7 months ago

mariash commented 7 months ago

When server responds with WWW-Authenticate: Negotiate, save VCAP_ID cookie on response to client so that subsequent request with Authorization: Negotiate ... will be directed to the same application instance.

See RFC-4559

[X] I have viewed signed and have submitted the Contributor License Agreement
[X] I have made this pull request to the main branch
[X] I have run all the unit tests.
[ ] (Optional) I have run Routing Acceptance Tests and Routing Smoke Tests
[ ] (Optional) I have run CF Acceptance Tests

maxmoehl commented 7 months ago

Can you please explain why the same behaviour cannot be achieved by having the server set the configured sticky session cookie (e.g. JSESSIONID) and using the already existing functionality?

geofffranks commented 7 months ago

Can you please explain why the same behaviour cannot be achieved by having the server set the configured sticky session cookie (e.g. JSESSIONID) and using the already existing functionality?

With NTLM + Kerberos based Integraded Windows Authentication, the authentication logic happens at a core library level for .Net, rather than something the application can control. No cookies can be set until after the auth has been successful. Sticky session cookies work great after the fact, but unfortunately not for IWA.

domdom82 commented 7 months ago

@mariash thanks for the fixes. I have to say I feel uneasy about this change, it adds a lot of logic for a niche use-case. NTLM is not an internet standard because it introduces state to an otherwise stateless protocol like HTTP. It clearly wasn't designed with reverse-proxies like Gorouter in mind. So, to me it would have been better to add a flag for enabling the protocol in the routing-release, probably also with operator configuration options for the VCAP cookie which are now hard-coded.

The entire session handling will eventually have to move to its own middleware, I really don't like it in round tripper. Sessions don't work for websockets for example, because they are a different code path. (See this issue for that)

I will accept the changes for now, with a major refactor of the session logic on my mind.

geofffranks commented 7 months ago

@domdom82 FYI, we added a config flag for enabling/disabling this in https://github.com/cloudfoundry/gorouter/pull/393 and https://github.com/cloudfoundry/routing-release/pull/387.

domdom82 commented 7 months ago

thanks @geofffranks !