I have a question about the use of the SPNEGO tokens sent from a client browser. Based on my reading (https://msdn.microsoft.com/en-us/library/ms995330.aspx + https://tools.ietf.org/html/rfc4178#section-4.2) it seems like it is up to the server application to decode the SPNEGO token and extract the GSSAPI token, and then pass the extracted token to the GSSAPI call. But when I was looking for code examples I found the pykerberos library and noticed that they just take the whole SPNEGO token (everything after "Negotiate") and pass it directly to the GSSAPI call after base64 decoding it (https://github.com/mkomitee/flask-kerberos/blob/master/flask_kerberos.py#L105 + https://github.com/bgamble/pykerberos/blob/master/src/kerberosgss.c#L535). I tried this is as well and it seems to works fine.
I'm just trying to understand why this works? Am I misunderstanding the specification and the whole SPNEGO token is supposed to be passed into the GSSAPI call and all the details about how the token is structured are just for the GSSAPI implementors? Or is the support for accepting the SPNEGO token just a convenience function for the library users? Or since GSSAPI is really just an interface, does it completely depend on the implementation? If you have any links to documentation about this it'd be great as I've struggled to find anything online... Thanks, Jordan -- View this message in context: http://kerberos.996246.n3.nabble.com/GSSAPI-and-SPNEGO-question-tp45704.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
