Kerberos is a computer-network authentication protocol that works on

Module Contents

class user.auth.clients.kerberos.KerberosClient[source]

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

keytab: str[source]
hostname: str[source]
service: str[source]
try_configuration() None[source]

Tries to use the configuration to get the principal.

If this fails with an exception, the client was not configured corectly, so this is a good way to check for that.

context() Iterator[None][source]

Runs the block inside the context manager with the keytab set to the provider’s keytab.

All functions that interact with kerberos must be run inside this context.

For convenience, this context returns the kerberos module when invoked.

authenticated_username(request: onegov.core.request.CoreRequest) Response | str | None[source]

Authenticates the given request using Kerberos.

The kerberos handshake is as follows:

  1. An HTTPUnauthorized response (401) is returned, with the WWW-Authenticate header set to “Negotiate”

  2. The client sends a request with the Authorization header set to the kerberos ticket.

The result is an authenticated username or None. Note that this username is a username separate from our users table (in most cases).

The kerberos environment defines this username and it is most likely the Windows login username.