[PATCH] SPNEGO version2
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Thu Feb 19 06:36:40 PST 2015
On Thu, Feb 19, 2015 at 12:09 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Thu, 2015-02-19 at 10:06 +0100, Nikos Mavrogiannopoulos wrote:
>> Note that I've not generalized authentication outside spnego, mainly
>> intentionally as I have no way to test it.
> I really do want to see that generalised. It's not so hard to test it.
> Just have a completely unrelated URL elsewhere which requires
> authentication of whatever kind, and when you've authenticated you get
> an HTTP redirect to the real ocserv URL.
> Not only will that allow us to test other auth methods, it'll also allow
> us to test the case of authenticating with GSSAPI to more than one
> server -- which might happen in load-balancing scenarios.
The latter is orthogonal to the first one. For the latter we need to
support alternative keytab. For the first we need to add support for
the headers of the other authentication methods. I could do the
latter, but I'm really not inclined to spend time for the former. It
is not easy to implement and test (for me at least) and I have no use
case for it.
regards,
Nikos
More information about the openconnect-devel
mailing list