Menu
The scenario:
Negotiate header etc.) and get the Windows user name of the user accessing the application, using the kerberos-sspi packageI have little experience with Kerberos, but some experience with web applications.
In other Python web apps I have created that use a built-in user database, the authentication flow is typically as follows:
flask.session)/login/ displaying a username/password form. POST to /login/ verifies correct username/password, sets the secure cookie and redirects to the URL specified in the ?next= query param.My question is:
I.e. should I do the following:
/login/. /login/ does the necessary stuff to figure out who the user is (i.e. sending the Negotiate header, use kerberos_sspi to find the user name etc.), then set the secure cookie and redirect to the URL specified in the ?next= query param.Or should it be handled some other way?
647
Kerberos and WebAuth By default, WebAuth also asks you for your password the first time you use it each day. It then stores your Kerberos credentials in a browser cookie and uses them to get new authentication tickets, very similar to the regular Kerberos ticket cache, for each authenticated web site you visit.
In our world, Kerberos is the computer network authentication protocol initially developed in the 1980s by Massachusetts Institute of Technology (MIT) computer scientists. The idea behind Kerberos is to authenticate users while preventing passwords from being sent over the internet.
Basically, Kerberos is a network authentication protocol that works by using secret key cryptography. Clients authenticate with a Key Distribution Center and get temporary keys to access locations on the network. This allows for strong and secure authentication without transmitting passwords.
At this point it is possible to use e.g. Mozilla Firefox to visit the Kerberos authenticated web application. To configure Firefox it is necessary to go to about:config and search for negotiate After this configuration step, Firefox can authenticate against the web application.
Initial user authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services that run on the domain controller. The KDC uses the domain's Active Directory Domain Services database as its security account database.
Using Kerberos authentication within a domain or in a forest allows the user or service access to resources permitted by administrators without multiple requests for credentials. After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the forest whenever access to resources is attempted. Interoperability.
Kerberos accomplishes single sign-on by storing credentials that typically last approximately one work day. When the user signs onto the computer, the local Kerberos implementation contacts the Key Distribution Center (KDC) to authenticate the user to the KDC. When authentication succeeds, the KDC issues a ticket.
Yes, your suggested flow seems viable.
You could perform the Kerberos Negotiation as first thing landing on /login/ and redirect the user back to the session, if Kerberos said yes. This could even be an XMLHttpRequest on the background and redirect to /login/ if a session ceases to be valid. If the session is checked in the background, the cookies can have a significantly shorter lifetime than Kerberos tokens and you have less of valid sessions to worry about at any given time.
If a session does not exist, offer Kerberos and potential other login methods for the user.
If a user has a valid session through Kerberos, but no user profile, provision the user into the application. Here, you can poll the user for more information on the spot, decide based on groups and roles, or create the user as a stub with a set of default permissions, known missing values and thus defer the process.
This was all very general. You should probably review what you are trying to map your goals against triple-A or AAA as in Authentication, Authorization and Accounting. It seems clear that Kerberos is doing authentication and the remaining roles need to be decided.
About cookies: It indeed does make sense to transform any Authentication into a cookie on your application. That way you could later add some other methods of SSO on the side without changing the whole application.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
