Skip to content
/ passport-negotiate Public
forked from dmansfield/passport-negotiate

Negotiate (kerberos) authentication strategy for Passport.

0 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

willthelaw/passport-negotiate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
examples/login
examples/login
 
 
lib/passport-negotiate
lib/passport-negotiate
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package.json
package.json
 
 

Repository files navigation

passport-negotiate

Negotiate (Kerberos) single-sign-on authentication strategy for Passport.

This Passport strategy implements authentication of users implementing "HTTP Negotiate", or SPNEGO auth-scheme, as described in RFC 4559.

For this to work, clients (browsers) must have access to a "credentials cache", which happens when logging in to a Domain in Windows, or in Linux/Unix either by using the "kinit" tool directly, or by using PAM modules which do this at login time, for example using sssd with a kerberos DC or Active Directory Domain Controller such as Samba 4.

When "Negotiate" is requested by the server, via a "WWW-Authenticate: Negotiate" header and a 401 response, the browser will obtain credentials in the form of a "ticket". The browser will then re-request the resource with the ticket data provided in the "Authorization: Negotiate .....". This happens transparently to the user.

Node.js can also be made to work as a negotiate enabled client, see this Gist.

Install

$ npm install passport-negotiate

Usage

Configure Strategy

The kerberos authentication strategy authenticates users using a username and password. The strategy requires a verify callback, which accepts the user's kerberos principal and calls done providing a user. Kerberos principals typically look like user@REALM.

var NegotiateStrategy = require("passport-negotiate");
passport.use(new NegotiateStrategy(function(principal, done) {
    User.findOne({ principal: principal }, function (err, user) {
        return done(err, user);
    });
  }
));

There are some quirks worth noting:

  1. You must not use failureRedirect when using the authentication method as middleware, because the strategy must generate a 401 status response with a specific header (WWW-Authenticate: Negotiate), which won't happen if failureRedirect is used.
  2. Kerberos authentication can succeed, but the supplied verify function cannot find a user object for the user. In this case, a noUserRedirect can be supplied which will in many respects work the way failureRedirect works for other strategies. The sample application examples/login demonstrates this. The strategy will set req.session.authenticatedPrincipal to the authenticated principal whenever kerberos authentication has succeeded regardless of the (in-)ability of the verify function to supply a user object.

Credits

License

The MIT License

Copyright (c) 2015 David Mansfield

About

Negotiate (kerberos) authentication strategy for Passport.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • JavaScript 100.0%