Skip to main content

GSSAPI authentication for Django

Project description

GSSAPI authentication for Django

Provide GSSAPI (SPNEGO) authentication to Django applications.

It’s a rewrite of django-kerberos using python-gssapi.

It’s only tested with MIT Kerberos 5 using package k5test.

Python 2 and 3, Django >1.8 are supported.

Basic usage

Add this to your project

url('^auth/gssapi/', include('django_gssapi.urls')),

And use the default authentication backend, by adding that to your file:



django-gssapi provide a base LoginView that you can subclass to get the behaviour your need, the main extension points are:

  • challenge() returns the 401 response with the challenge, you should override it to show a template explaining the failure,

  • success(user) it should log the given user and redirect to REDIRECT_FIELD_NAME,

  • get_service_name() it should return a gssapi.Name for your service, by default it returns None, so GSSAPI will match any name available (for example with Kerberos it will match any name in your keytab, like @HTTP/


To make your application use GSSAPI as its main login method:

LOGIN_URL = 'gssapi-login'

Your application need an environment where the GSSAPI mechanism like Kerberos will work, for Kerberos it means having a default keytab of creating one and setting its path in KRB5_KTNAME or you can use GSSAPI_STORE with MIT Kerberos 5 and credential store extension to indicate a keytab:

GSSAPI_STORE = {'keytab': 'FILE:/var/lib/mykeytab'}

You can also force a GSSAPI name for you service with:

import gssapi

GSSAPI_NAME = gssapi.Name('HTTP/', gssapi.MechType.hostbased_service)

GSSAPI authentication backend

A dummy backend is provided in django_gssapi.backends.GSSAPIBackend it looks up user with the same username as the GSSAPI name. You should implement it for your use case.

A custom authentication backend must have the following signature:

class CustomGSSAPIBackend(object):
    def authenticate(self, request, gssapi_name):

The parameter gssapi_name is a gssapi.Name object, it can be casted to string to get the raw name.

Kerberos username/password backend

If your users does not have their browser configured for SPNEGO HTTP authentication you can also provide a classic login/password form which check passwords using Kerberos. For this use django_gssapi.backends.KerberosPasswordBackend, the username is used as the raw principal name.

django-rest-framework authentication backend

To authenticate users with GSSAPI you can use django_gssapi.drf.GSSAPIAuthentication, it uses the configured GSSAPI authentication backend to find an user and returns the GSSAPI name in request.auth.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-gssapi-1.0.tar.gz (11.4 kB view hashes)

Uploaded Source

Built Distribution

django_gssapi-1.0-py2.py3-none-any.whl (9.2 kB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page