http proxy negotiate/gssapi authentication?

[benley]

I was hoping to find a HTTPProxyKerberosAuth class to enable working with http proxies that require NEGOTIATE gssapi auth, like certain configurations of squid. Is there a way to use requests-kerberos handle that scenario as it currently stands?

This would be akin to HTTPProxyDigestAuth from requests-toolbelt, if the necessary code doesn't already exist somewhere.

[Lukasa]

requests-kerberos cannot currently handle that kind of authentication.

[benley]

Thank you for clarifying. Is it proxy auth something that belongs in this project, or am I barking up the wrong tree?

[Lukasa]

It definitely belongs in this project. =) Unfortunately, I have very little time to tackle writing such a thing, so I'll have to leave this open to someone else who can find that time.

[carsonyl]

This would be nice to have! However, Requests doesn't support multiple auth handlers, so it can be a problem if you want to use one auth method for the proxy, and another for the actual request. This is already an issue with HttpNtlmAuth from requests-ntlm, though I don't know if the problem's tracked anywhere.

HttpNtlmAuth also handles NTLM authentication for either a proxy or a website, based on what response header it sees first, which makes it a bit of an oddball.

[NurcanSonmez]

Hi everyone! Any ideas how the proxy auth can be done with requests-kerberos?
It's been a while since this ticket is opened, just wanted to check.

[NurcanSonmez]

When I use IP address as the auth surrogate in the proxy the following works, however, when I use no surrogate it doesn't work. Just sharing the code in case it'll help others.
import requests from requests_kerberos import HTTPKerberosAuth, REQUIRED
PROXY = {'https': 'http://yourproxy:80'}
s = requests.Session()
response = s.get("http://yourproxy:80",auth=HTTPKerberosAuth(force_preemptive=True))
response_cnn = s.get("https://www.cnn.com", proxies=PROXY, verify=False, headers={"Proxy-Authorization": response.request.headers['Authorization']})

[nametkin]

@NurcanSonmez , Thanks for your code, it was very useful for me when I just ran into this problem. But with requests https, it really doesn't work. Having studied the code of Requests, I realized that the authentication data (that was placed in the request header) does not reach the method "set_tunnel" (module httplib(py2)/http.client(py3)). I used the following code to solve this problem:

import requests
from requests_kerberos import HTTPKerberosAuth
from urllib3.util import parse_url

class HTTPAdapterWithProxyKerberosAuth(requests.adapters.HTTPAdapter):
    def proxy_headers(self, proxy):
        headers = {}
        auth = HTTPKerberosAuth()
        negotiate_details = auth.generate_request_header(None, parse_url(proxy).host, is_preemptive=True)
        headers['Proxy-Authorization'] = negotiate_details
        return headers

session = requests.Session()
session.proxies = {'http': 'http://yourproxy:proxyport', 'https': 'http://yourproxy:proxyport'}
session.mount('https://', HTTPAdapterWithProxyKerberosAuth())

response = session.get(r"https://www.google.com/")

Maybe it will be useful for someone.

[jborean93]

Support for proxying http endpoints has been added with #148. As mentioned above using this for https endpoints is not supported due to limitations with the underlying libraries that are used. Until this is fixed we can only offer support for http endpoints.