-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Proxy-Authorization #3
Comments
Is there any particular reason you can't use the standard proxy handling? Either through the HTTP[S]_PROXY environment variables or through the routing interface? It would be awkward and redundant to code the same functionality in every individual auth handler. In theory, you should be able to do: client = httpx.Client(
...
proxies={
"http://": "http://USERNAME:PASSWORD@HOST:PORT",
"https://": "https://USERNAME:PASSWORD@HOST:SSL_PORT",
},
) or export HTTP_PROXY=http://USERNAME:PASSWORD@HOST:PORT
export HTTPS_PROXY=https://USERNAME:PASSWORD@HOST:SSL_PORT
python my_code.py |
I want to use password less kerberos interface (using keytab) |
That doesn't have anything to do with proxy auth or much to do with this library really. GSSAPI authentication happens after you've acquired local Kerberos ticket through something like Some simple subprocess code could be: subprocess.run(['kinit', 'USER@ADS', '-k', '-t', 'path/to/user.keytab'], check=True) @frozencemetery Is there a way to kinit using a keytab with Python GSSAPI? I haven't explored that myself. |
The Proxy-Authentication header can contain the kerberos ticket (to the proxy) similar to the Authentication header (to the service). Like you use gssapi to negotiate with the service instead of Basic auth upon HTTP error 401, it can be used to negotiate with the proxy instead of Basic auth upon HTTP error 407 |
Ohhh okay, sorry for the confusion, I understand now. You're trying to authenticate the proxy itself with GSSAPI. We can definitely do that, I'll just need to set up a test env for it. |
Exactly, thanks for your patience and your responses. Next time I should start with a code snippet, sequence diag or some better illustration 🤔 |
(I recognize that the discussion has moved on here, but going to answer this one in case anyone finds this later.) Yes, but which way depends on what you're trying to do :) GSSAPI prefers to sit above the level of kinit. But if you have a keytab, it can be specified using the KRB5_KEYTAB or KRB5_CLIENT_KEYTAB variables (see https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html) and then either calling |
This PR is somewhat relevant: https://github.com/requests/requests-kerberos/pull/149/files |
Yeah I was looking over that earlier. I've been mocking up a test environment using proxy.py with a bare-bones GSSAPI auth plugin. |
I didn't know this one, nice! |
Just wanted to update that I am working on this, but I'm having a little trouble with the testing environment setup. I can get it to properly authenticate the proxy and connect to external websites, but connecting to the local webserver is causing the connection to be terminated. I'll figure it out, just wanted to provide an update. |
Turns out, it was just a bug in proxy.py: abhinavsingh/proxy.py#398. Setting the However, I've run into a new problem: I can't seem to determine the proxy host for generating the I've pushed my work so far to the |
Similar to HTTP error 401 + Authorization headers sometimes not the server, but a proxy needs authorization.
It's using HTTP error 407 and Proxy-Authorization headers.
The text was updated successfully, but these errors were encountered: