search

pythongssapi / requests-gssapi

An authentication handler for using GSSAPI with Python Requests. Drop-in replacement for old requests-kerberos.
Other
32 stars 21 forks source link

[Question] Compatibility with Flask-GSSAPI #32

Closed grawity closed 3 years ago

grawity commented 3 years ago

I'm trying to get a requests_gssapi client talk to a Flask-GSSAPI service. (I'm using MIT krb5 1.19.1, python-gssapi 1.6.12, python-requests-gssapi 1.2.3, and python-flask-gssapi 1.4.0.)

Somehow, despite its name, HTTPSPNEGOAuth() doesn't send a SPNEGO token (1.3.6.1.5.5.2) by default -- it always defaults to sending a plain Kerberos token (1.2.840.113554.1.2.2). This is accepted by Apache mod_auth_gssapi, but not by Flask-GSSAPI.

I can get the two to interoperate if I specifically tell requests_gssapi to use SPNEGO as mentioned in the documentation...

spnego = gssapi.mechs.Mechanism.from_sasl_name("SPNEGO")
gss_auth = requests_gssapi.HTTPSPNEGOAuth(mech=spnego)

...but I am not sure whether this is already the Right Way of things, or should Flask-GSSAPI be changed to accept plain Kerberos, or should requests_gssapi be using SPNEGO by default, or is it just my machine that isn't quite working right?

grawity commented 3 years ago

It does seem like this is just a bug in Flask-GSSAPI.