Skip to main content

HTTP Negotiate (GSSAPI) authentication support for Flask applications.

Project description

HTTP Negotiate (GSSAPI) authentication support for Flask applications. Secure sensitive views with transparent and secure single sign-on to authorize user access using existing access controls within your Microsoft, Samba Active Directory or FreeIPA servers.

Currently the username and ticket are not exposed to your application, however this should be possible. It also does not offer more fine-grained permission systems to user groups, only the host-based and service-based access controls implemented by your authentication server.

Installation

Install the easy way through PyPi:

$ pip install flask-gssapi

Or alternatively download and build yourself:

$ git clone https://github.com/cour4g3/flask-gssapi
$ cd flask-gssapi
$ python setup.py install

Usage

Usage is fairly simple:

from flask import Flask, render_template
from flask_gssapi import GSSAPI

app = Flask(__name__)

gssapi = GSSAPI(app)

# Here, you'll need to be authenticated
@app.route('/secret')
@gssapi.require_auth
def secret_view():
    return render_template('secret.html')

# Here, you'll need to be a specific user
@app.route('/admin')
@gssapi.require_user(user=admin)
def admin_view():
    return render_template('admin.html')

Configuration

For security purposes your application should probably not have read access to the system’s keytab, you should create a new keytab for the application:

$ export KRB5_KTNAME=FILE:/path/to/HTTP.keytab
$ net ads keytab create
$ net ads keytab add HTTP
$ chown httpd:httpd /path/to/HTTP.keytab

The KRB5_KTNAME will point to the correct keytab to use and can be included in your startup script or service file.

The defaults should be sufficient for most purposes, but you may need to be changed under certain circumstances:

Key

Description

GSSAPI_SERVICE_NAME

The service name you want to authenticate against, by default this is HTTP which most browsers use.

GSSAPI_HOSTNAME

The hostname you want authenticate against, by default this is acquired from socket.fqdn().

Todo

  • Offer fallback to a login page or Basic authentication if no credentials are provided i.e. non-domain connected device.

  • Configuration key to protect all views by default with an equivalent no_auth decorator.

License

Licensed under the MIT License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Flask-GSSAPI-1.1.tar.gz (4.0 kB view details)

Uploaded Source

File details

Details for the file Flask-GSSAPI-1.1.tar.gz.

File metadata

  • Download URL: Flask-GSSAPI-1.1.tar.gz
  • Upload date:
  • Size: 4.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for Flask-GSSAPI-1.1.tar.gz
Algorithm Hash digest
SHA256 3902e414b25c2e530122ac2667e736eb7e64777d3ec8128b7ec4784a91fb2ebf
MD5 22808635488bb5815ac44f30af1b3c44
BLAKE2b-256 749b0971e2e12b8143c4fc98590b4db56bdbfad957aa3ecf110fbcb7bb5490eb

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page