Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Web application Kerberos authentication: Is the proper way to combine with cookies?

Tags:

http

windows

cookies

kerberos

The scenario:

  • An enterprise, behind-the-firewall Python web application.
  • Kerberos should be used to authenticate the users.
  • I have working code that sends the correct responses from the server (the Negotiate header etc.) and get the Windows user name of the user accessing the application, using the kerberos-sspi package

I have little experience with Kerberos, but some experience with web applications.

In other Python web apps I have created that use a built-in user database, the authentication flow is typically as follows:

  • For each request, check if the request has a (signed) cookie containing the user id (or some variation - for instance using flask-login where the user id is stored in flask.session)
  • If the cookie exists, respond normally.
  • If the no such cookie exists, redirect to /login/ displaying a username/password form. POST to /login/ verifies correct username/password, sets the secure cookie and redirects to the URL specified in the ?next= query param.

My question is:

  • In the Kerberos-authenticated web app, is the authentication flow similar?

  • I.e. should I do the following:

    • For each request, check if the request has a (signed) cookie containing the user id
    • If the cookie exists, respond normally.
    • If the no such cookie exists, redirect to /login/. /login/ does the necessary stuff to figure out who the user is (i.e. sending the Negotiate header, use kerberos_sspi to find the user name etc.), then set the secure cookie and redirect to the URL specified in the ?next= query param.

  • Or should it be handled some other way?

like image 647
codeape Avatar asked Feb 12 '19 15:02

codeape

People also ask

Does Kerberos use cookies?

Kerberos and WebAuth By default, WebAuth also asks you for your password the first time you use it each day. It then stores your Kerberos credentials in a browser cookie and uses them to get new authentication tickets, very similar to the regular Kerberos ticket cache, for each authenticated web site you visit.

What is Kerberos authentication used for?

In our world, Kerberos is the computer network authentication protocol initially developed in the 1980s by Massachusetts Institute of Technology (MIT) computer scientists. The idea behind Kerberos is to authenticate users while preventing passwords from being sent over the internet.

How does Kerberos solve the authentication issue?

Basically, Kerberos is a network authentication protocol that works by using secret key cryptography. Clients authenticate with a Key Distribution Center and get temporary keys to access locations on the network. This allows for strong and secure authentication without transmitting passwords.

How to configure Firefox to use Kerberos authentication?

At this point it is possible to use e.g. Mozilla Firefox to visit the Kerberos authenticated web application. To configure Firefox it is necessary to go to about:config and search for negotiate After this configuration step, Firefox can authenticate against the web application.

How is initial user authentication integrated with Kerberos key distribution center?

Initial user authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services that run on the domain controller. The KDC uses the domain's Active Directory Domain Services database as its security account database.

What are the advantages of Kerberos?

Using Kerberos authentication within a domain or in a forest allows the user or service access to resources permitted by administrators without multiple requests for credentials. After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the forest whenever access to resources is attempted. Interoperability.

How does single sign-on work in Kerberos?

Kerberos accomplishes single sign-on by storing credentials that typically last approximately one work day. When the user signs onto the computer, the local Kerberos implementation contacts the Key Distribution Center (KDC) to authenticate the user to the KDC. When authentication succeeds, the KDC issues a ticket.

1 Answers

Yes, your suggested flow seems viable.

You could perform the Kerberos Negotiation as first thing landing on /login/ and redirect the user back to the session, if Kerberos said yes. This could even be an XMLHttpRequest on the background and redirect to /login/ if a session ceases to be valid. If the session is checked in the background, the cookies can have a significantly shorter lifetime than Kerberos tokens and you have less of valid sessions to worry about at any given time.

If a session does not exist, offer Kerberos and potential other login methods for the user.

If a user has a valid session through Kerberos, but no user profile, provision the user into the application. Here, you can poll the user for more information on the spot, decide based on groups and roles, or create the user as a stub with a set of default permissions, known missing values and thus defer the process.

This was all very general. You should probably review what you are trying to map your goals against triple-A or AAA as in Authentication, Authorization and Accounting. It seems clear that Kerberos is doing authentication and the remaining roles need to be decided.

About cookies: It indeed does make sense to transform any Authentication into a cookie on your application. That way you could later add some other methods of SSO on the side without changing the whole application.

like image 104
ferrix Avatar answered Nov 10 '22 21:11

ferrix
Sign in to Comment

Related questions

Default font size of JavaFX under Linux is larger as on Windows
Drawing a window with a standard frame and transparent contents
Why does Powershell Start-Process not work when called from go (golang)?
Disk IO Issue with circular file writes
Start a process as user from an process running as admin
How to change the behavior of git status showing modified files which are eventually not committed?
Java: Get windows color
A reliable way to identify display devices?
Home directory for bundled version of JDK in IntelliJ IDEA
Why is the main thread of my multithreaded application unresponsive to Ctrl+C?
Correctly installing pyOpenSSL for Python (Windows)
LogonSessionId account assigned Read access in new certificates?
Outlook 2013 display HTML code instead of actual Data
Installing librdkafka on Windows to support Python development
Embed dotnet core (.NET Core) into native applications on Windows/Linux
Why is Windows Smart Screen suddenly 'protecting' PC since purchased new certificate
How can I fix which version of Windows PHP is being used for the CLI?
How to put a Python script in the background without pythonw.exe?
How to use non-mkl NumPy under Anaconda?
R_ext/eventloop.h: No such file error while installing rpy2 using pip

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!