How can we add Kerberos Authentication and OAuth at the same time on one proxy

Google Cloud Apigee
1

Hi,

If we have a API proxy that needs both Kerberos Authentication and OAuth policy applied.

Currently, we see a conflict in the header

  1. OAuth bearer token needs to be passed as Authorization header in the HTTP request

  2. The SPENEGO negotiation header also needs to be passed as an Authrization header for Kerberos handshakes.

So its a conflict here as you can see

How can we resolve this? Any suggestions?

Thanks

2

@hanzhang ,

  • Apigee does support Kerberos. It’s supported only in OPDK. You need to use custom java callout policy to validate SPNEGO tokens.
  • You need to make few config changes in Apigee Edge OPDK to read kerberos conf files.
  • Recently, We have successfully implemented same with recent version of Apigee Edge OPDK.

Regarding, SPNEGO token and OAuth token, You can take one of them using some other header & do the mediation in Apigee Edge.

Hope it helps.

Anil Sagar


5997-screen-shot-2017-11-23-at-75916-pm.png
Learn Apigee Concepts in 4 Minutes HandsOn

3

So we have the mediation between Oauth and Kerberos working along the lines of what you suggested. It works from curl but now we are making the smart doc for our token request. The API responds with the WWW-Authenticate Negotiate header but the smart doc never sends the second request.

This is our token request api. First it uses the java callout to perform kerberos authentication, then it generates an oauth token. The java callout repsonds with a 401 that contains the WWW-Authenticate with a value of Negotiate. In when using curl or postman the trace shows a second request. But when the initial request comes from smart docs on the developer portal, the second request is never made.