Closed bewing closed 4 years ago
Analysis conducted by the requests-kerberos folks suggests this is inherent in the requests model. Unfortunately I'm not aware of anything that makes our codebase different in this regard.
It's probably best to turn off mutual authentication here. This shouldn't be any risk if you're over TLS already.
Closing since mutual auth is disabled by default now, and I can't do anything else about it.
If you have a server that issues a redirect, to another page (Eg, Gitlab EE has a specific page to handle authenticating Kerberos and creating a session), requests-gssapi will attempt to authenticate both the original 302, and the page that is returned. This will either cause a failure because the context is already complete, or a failure because the second page doesn't process the challenge and return another token.
This appears to be related to requests/requests-kerberos#64