GSSAPI and SPNEGO question

JSoet jordan.soet at ca.ibm.com
Mon Jul 11 18:14:49 EDT 2016


I have a question about the use of the SPNEGO tokens sent from a client
browser. Based on my reading
(https://msdn.microsoft.com/en-us/library/ms995330.aspx +
https://tools.ietf.org/html/rfc4178#section-4.2) it seems like it is up to
the server application to decode the SPNEGO token and extract the GSSAPI
token, and then pass the extracted token to the GSSAPI call. But when I was
looking for code examples I found the pykerberos library and noticed that
they just take the whole SPNEGO token (everything after "Negotiate") and
pass it directly to the GSSAPI call after base64 decoding it
(https://github.com/mkomitee/flask-kerberos/blob/master/flask_kerberos.py#L105
+ https://github.com/bgamble/pykerberos/blob/master/src/kerberosgss.c#L535).
I tried this is as well and it seems to works fine. 

I'm just trying to understand why this works? Am I misunderstanding the
specification and the whole SPNEGO token is supposed to be passed into the
GSSAPI call and all the details about how the token is structured are just
for the GSSAPI implementors? Or is the support for accepting the SPNEGO
token just a convenience function for the library users? Or since GSSAPI is
really just an interface, does it completely depend on the implementation?
If you have any links to documentation about this it'd be great as I've
struggled to find anything online...

Thanks,
Jordan



--
View this message in context: http://kerberos.996246.n3.nabble.com/GSSAPI-and-SPNEGO-question-tp45704.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


More information about the Kerberos mailing list