3

I have task to create SSO (single sign-on) authorization in Python backend application with the help of Kerberos and Active Directory.

In other words, frontend application make AJAX GET request of the specific URL of the backend application. That backend application must return information about employee in JSON format.

What I have done so far:

1) SPN name for the backend application was created in Active Directory.

2) krb5.keytab file for the backend application was created.

3) Active Directory and Kerberos server located on remote Windows server.

4) Backend application would be in Linux Docker container.

5) I install Kerberos client to Docker container.

6) Kerberos Realm: SERVICE.LOCAL.

7) Hostname for the KDC Server: CS001, CS002, CS003.

Have you ever seen any implementations of the above process in Python? I will be grateful for any help.

Nurzhan Nogerbek
  • 4,806
  • 16
  • 87
  • 193

1 Answers1

5

You have 2 ways to handle this:

  1. Handle it directly in Python
  2. Handle it in a proxy such as apache or nginx

Pure Python Solution

If you don't have a proxy or just want to handle it in python anyway, I recommend using the python-gssapi library. Here's a code sample. There are other Python bindings but from my reading, this one seems to be the most complete.

Note, if you handle it this way, your python server will probably need to be able to respect the keep-alive header (i.e. re-use the same connection for multiple requests). This isn't strictly part of the SPENGO protocol, but most browsers seem to require that the server implements it.

Proxy Solution

If you're using apache, there's a mod_auth_kerb module you can use which is well documented. There's also a mod_auth_gssapi which provides similar functionality.

For nginx, there's a similar module available.

With any of these proxy solutions, the idea is that the proxy handles Kerberos auth, and sets the REMOTE_USER env variable for your python app. So your python app needs to be able to accept this variable as an authenticated user. Django has middleware specifically for that purpose - I'm not sure about Flask (I mention these 2 frameworks because they're in your question's tags).

John B
  • 3,391
  • 5
  • 33
  • 29
  • Hello! Thank you for your answer. I have another question. Will the first solution which you recommended work in case the requests are coming from the frontend app and not from the browser? Users will interact through the frontend app in my case. As I know browser should just be reading the credential cache on the machine of employee, in the same time I don't think we can send all credential cache through axios (ajax) request from frontend application to backend application. I am little bit confused in this part. – Nurzhan Nogerbek Apr 13 '19 at 07:17
  • The situation which I described in the previous comment is similar to this [post](https://stackoverflow.com/questions/17869357/chrome-how-to-get-ajax-request-to-work-with-kerberos-if-not-already-authenticat) I think. – Nurzhan Nogerbek Apr 13 '19 at 08:25
  • Sorry I read "AJAX" and assumed "browser". The server side solution would be the same regardless of whether the request is from a browser or something else. But it looks like you need to find out how to interact with the Kerberos client libraries from Axios. I don't know much about this I'm afraid. Basically you need a way to generate a base64 token from the client credentials, and then send this token in the Authenticate header. python-gssapi has examples of how to do it in python - that should illustrate what needs to happen. Then you need to find out how to do the equivalent in Axios. – John B Apr 13 '19 at 13:46
  • 1
    Maybe this will help? https://stackoverflow.com/questions/20098912/kerberos-authentication-in-node-js-https-get-or-https-request – John B Apr 13 '19 at 13:47