Support SPNEGO Authentication in HttpClient

[raccoonback]

Motivation

This PR adds support for SPNEGO (Kerberos) authentication to HttpClient, addressing #3079.
SPNEGO is widely used for HTTP authentication in enterprise environments, particularly those based on Kerberos.

Changes

SpnegoAuthProvider

Provides SPNEGO authentication by generating a Kerberos-based token and attaching it to the Authorization header of outgoing HTTP requests.

JaasAuthenticator

Provides a pluggable way to perform JAAS-based Kerberos login, making it easy to integrate with various authentication backends.

HttpClient.spnego(...) API

Adds a new API to configure SPNEGO authentication for HttpClient instances.

HttpClient client = HttpClient.create()
    .spnego(SpnegoAuthProvider.create(new JaasAuthenticator("KerberosLogin")));

client.get()
      .uri("http://protected.example.com/")
      .responseSingle((res, content) -> content.asString())
      .block();

jaas.conf

A JAAS(Java Authentication and Authorization Service) configuration file in Java for integrating with authentication backends such as Kerberos.

KerberosLogin {
    com.sun.security.auth.module.Krb5LoginModule required
    client=true
    useKeyTab=true
    keyTab="/path/to/test.keytab"
    principal="[email protected]"
    doNotPrompt=true
    debug=true;
};

krb5.conf

krb5.conf is a Kerberos client configuration file used to define how the client locates and communicates with the Kerberos Key Distribution Center (KDC) for authentication.

[libdefaults]
    default_realm = EXAMPLE.COM
[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com
    }
[domain_realms]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

How It Works

• When a server responds with 401 Unauthorized and a WWW-Authenticate: Negotiate header,
  the client automatically generates a SPNEGO token using the Kerberos ticket and resends the request with the appropriate Authorization header.
• The implementation is based on Java's GSS-API and is compatible with standard Kerberos environments.

Environment Configuration

Requires proper JAAS (jaas.conf) and Kerberos (krb5.conf) configuration.
See the updated documentation for example configuration files and JVM options.

Additional Notes

• The SpnegoAuthProvider allows for easy extension and testing by supporting custom authenticators and GSSManager injection.
• The feature is fully compatible with Java 1.6+ and works on both Unix and Windows environments.

[raccoonback]

I tested Kerberos authentication using the krb5 available at https://formulae.brew.sh/formula/krb5.

[raccoonback]

It logs in using the specified JAAS login context name and returns the authenticated Subject object.

[raccoonback]

If a SPNEGO authentication expiration response is received via the HTTP response, the authentication header value is cleared.

[raccoonback]

If SPNEGO authentication is configured through the HttpClient, authentication is attempted before sending the request.

[raccoonback]

If a valid authentication token already exists, it is reused.

[raccoonback]

After obtaining Kerberos credentials via JAAS login, a SPNEGO token for the target server is generated using the GSS-API, and the Authorization: Negotiate <token> header is added to the request.

[raccoonback]

Re-authenticates with SPNEGO if necessary.

[raccoonback]

Configures it to retry even if a SpnegoRetryException occurs.

[raccoonback]

@violetagg
Hello!
Please check this PR when you have a chance. 😃

[wendigo]

This is so great! Looking forward to get this in :)

[wendigo]

I can provide some guidance around APIs and configuration. Not every kerberos-enabled client uses JAAS, therefore the direct Subject/SPNEGO token support should be provided

[raccoonback]

@wendigo
Hello!
Thank you for the great point. 😀

I was thinking of allowing users to implement the SpnegoAuthenticator interface, similar to JaasAuthenticator, to support custom authentication logic if needed.

If I understood you correctly, you're suggesting that we should provide a way for users to directly supply a Subject, as in the example below:

public class DirectSubjectAuthenticator implements SpnegoAuthenticator {

    // ...
    private Subject subject;

    @Override
    public Subject login() throws LoginException {
        return subject;
    }

    // ...
}

Would you be able to share a more concrete example or use case?
It would help refine the design in the right direction.

[wendigo]

Sure @raccoonback.

I'd like to use reactor-netty in the trino CLI/JDBC/client libraries.

We support delegated/constrained/unconstrained kerberos authentication. Relevant code is here:

https://github.com/trinodb/trino/tree/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos

This is how we add it to the okhttp: https://github.com/trinodb/trino/blob/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos/SpnegoHandler.java

Configurability is important as we expose configuration that allows the user to pass remote service name, service principal name, whether to canonicalize hostname: https://github.com/trinodb/trino/blob/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos/SpnegoHandler.java#L50C5-L54C48

[raccoonback]

@violetagg
I think supporting not only JAAS-based authentication but also allowing the user to provide a GSSCredential directly could improve configurability and flexibility.
This would be especially useful in environments where JAAS is not preferred or where credentials need to be managed programmatically.
What do you think about this direction?

cc. @wendigo

[violetagg]

I'm currently on vacation. When I return I'll check it. На нд, 27.07.2025 г. в 18:21 KOSEUNGBIN ***@***.***> написа:

…

*raccoonback* left a comment (reactor/reactor-netty#3813) <#3813 (comment)> @violetagg <https://github.com/violetagg> I think supporting not only JAAS-based authentication but also allowing the user to provide a GSSCredential directly could improve configurability and flexibility. This would be especially useful in environments where JAAS is not preferred or where credentials need to be managed programmatically. What do you think about this direction? cc. @wendigo <https://github.com/wendigo> — Reply to this email directly, view it on GitHub <#3813 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFKCVJR2CIDYFH4XV65ZID3KTU6LAVCNFSM6AAAAAB75EX2K6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTCMRUGQ4DSNBVGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[raccoonback]

@wendigo
I've added GSSCredential-based SPNEGO authentication and support for service name and canonical hostname configuration.
Thank you for the suggestion.

[raccoonback]

If the resource server responds with a requirement for SPNEGO authentication, the client will retry the authentication.

[raccoonback]

The previously issued SPNEGO Negotiate Token is cleared, and a reissue attempt is made.

[raccoonback]

Authentication is performed based on JAAS.

[raccoonback]

The HTTP client receives the options required for SPNEGO authentication:

1. HTTP status to catch the authentication required error response from the resource server
2. Service principal name
3. Whether to handle canonical hostname

[raccoonback]

It is handled as the canonical hostname.

[raccoonback]

Generates a SPNEGO Negotiate token for the given host name.