Negotiate (Kerberos) single-sign-on authentication strategy for Passport.
This Passport strategy implements authentication of users implementing "HTTP Negotiate", or SPNEGO auth-scheme, as described in RFC 4559.
For this to work, clients (browsers) must have access to a "credentials cache", which happens when logging in to a Domain in Windows, or in Linux/Unix either by using the "kinit" tool directly, or by using PAM modules which do this at login time, for example using sssd with a kerberos DC or Active Directory Domain Controller such as Samba 4.
When "Negotiate" is requested by the server, via a "WWW-Authenticate: Negotiate" header and a 401 response, the browser will obtain credentials in the form of a "ticket". The browser will then re-request the resource with the ticket data provided in the "Authorization: Negotiate .....". This happens transparently to the user.
Node.js can also be made to work as a negotiate enabled client, see this Gist.
Note: at the time of this writing, no released version of the dependent package, "kerberos", contains the necessary revisions to support this module. The current version of kerberos is 0.0.12. Please see this fork.
$ npm install passport-negotiate
The kerberos authentication strategy authenticates users using a username and
password. The strategy requires a verify callback, which accepts the user's
kerberos principal and calls done providing a user. Kerberos principals
typically look like user@REALM.
var NegotiateStrategy = require("passport-negotiate");
passport.use(new NegotiateStrategy(function(principal, done) {
User.findOne({ principal: principal }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
return done(null, user, REALM);
});
}
));
Copyright (c) 2015 David Mansfield