Spnego/kerberos auth

[Adam Lippai]

Hi,

I saw http://www.chromium.org/developers/design-documents/http-authentication about the auth protocols supported. I have a dummy python server handling the auth using gssapi using the header values. It works well, but forces the connection to be HTTP/1.1.

I didn't find any specification or issues in bugtrackers why this happens. Will Chrome support this type of SSO over HTTP/2 or HTTP/3? Can you add some tech context what's the challenge here?

Other issue is that every request from chrome does a new authentication, it doesn't send the tokens acquired previously. Preflighting every request shouldn't be needed. Am I missing something?

Best regards,

Adam Lippai

[Ryan Sleevi]

SPNEGO is incompatible with HTTP/2 and HTTP/3 and not supported.

See https://datatracker.ietf.org/doc/html/rfc7235#section-5.1.2 - which is implicitly talking about the NTLM/Negotiate (Kerberos) methods. If your HTTP/2 server requires this, it should force clients to negotiate using HTTP/1.1 using the HTTP_1_1_REQUIRED message.

This isn't unique to Chromium, this is a fundamental issue with how the Negotiate Authentication method violated the HTTP invariants, and the intentional choice to not support that in HTTP/2+, due to the security issues connection-based auth would introduce (e.g. confused deputy between requests). This is also why TLS renegotiation, typically used for connection-based post-handshake authentication, is not supported.

With respect to per-request re-authentication, this may be an artifact of how your dummy Python server is implemented. Chrome will keep HTTP/1.1 connections alive iff the response can be properly drained (e.g. Content-Length provided and correct) and the server (your Python server) does not terminate the connection. You can use chrome://net-export to inspect further the details and relationships between requests and sockets, which may help you match with your Python server the root cause.

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAGrfaBWk9R7JSXmWR-LCYzyKLSF3mwrnhSA4H3NzizW%3DCd2yMg%40mail.gmail.com.