Hey folks! I'm part of Fedora Infrastructure and we maintain our FreeIPA-based auth stack (among many other things). We have mostly Python-based web applications, and while they use OpenID Connect (OIDC) for authentication, some of them are using GSSAPI authentication directly to authenticate clients (koji, fasjson, copr). Until now, we've put those apps behind apache's mod_auth_gssapi and used the env variable it sets to read the authenticated user. Unfortunately this is starting to not be sufficient, for the following two reasons: - we want to only authenticate parts of the app - running the apps behind apache in OpenShift adds another layer that is not very convenient in containers, and prevents us from using Python builder images with s2i since those only support gunicorn
I'm considering writing/adapting a WSGI authentication layer that would handle GSSAPI. I've seen that somebody has already written one for ASGI (the async version of WSGI) here: https://github.com/washed-out/asgi-gssapi/ It's also based on an older WSGI implementation that was based on python-kerberos, now obsoleted by python-gssapi. So I'm considering reusing asgi-gssapi and making it do WSGI instead. Do you think it's a bad idea? Do you know of other libraries that do this? (I searched, but found nothing besides the 2 I mentionned). Most of the work will be done by python-gssapi, but there's always room for security flaws in this sort of thing, and I'm not a Kerberos/GSSAPI expert. Would somebody here be interested in this GSSAPI-WSGI layer? How about co-maintaining it? Thanks! Aurélien -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
