Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

force_preemptive=True is only preemptive the first time #178

Open
gconklin opened this issue Jul 8, 2022 · 1 comment
Open

force_preemptive=True is only preemptive the first time #178

gconklin opened this issue Jul 8, 2022 · 1 comment

Comments

@gconklin
Copy link

gconklin commented Jul 8, 2022

When setting force_preemptive=True, it looks like only the first request gets an immediate 200 and all other following requests get a 401, and then a 200.

I'm essentially doing this:

import requests
from requests_kerberos import HTTPKerberosAuth
from requests_kerberos.exceptions import KerberosExchangeError

class Thing:
    def __init__(self):
        self.session = requests.Session()
        self.session.auth = HTTPKerberosAuth(force_preemptive=True)

    def get(self, url):
        return self.session.get(url)

t = Thing()
t.get("https://hostname/")
t.get("https://hostname/")

First request:
DEBUG:requests_kerberos.kerberos_:HTTPKerberosAuth: Preemptive Authorization header: Negotiate ...
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): hostname:443
DEBUG:urllib3.connectionpool:https://hostname:443 "GET / HTTP/1.1" 200 None
DEBUG:requests_kerberos.kerberos_:handle_other(): Handling: 200
DEBUG:requests_kerberos.kerberos_:handle_other(): Authenticating the server
DEBUG:requests_kerberos.kerberos_:authenticate_server(): Authenticate header:
DEBUG:requests_kerberos.kerberos_:authenticate_server(): returning <Response [200]>
DEBUG:requests_kerberos.kerberos_:handle_other(): returning <Response [200]>
DEBUG:requests_kerberos.kerberos_:handle_response(): returning <Response [200]>

Next request:
DEBUG:urllib3.connectionpool:https://hostname:443 "GET / HTTP/1.1" 401 381
DEBUG:requests_kerberos.kerberos_:handle_401(): Handling: 401
DEBUG:requests_kerberos.kerberos_:authenticate_user(): Authorization header: Negotiate ...
DEBUG:urllib3.connectionpool:https://hostname:443 "GET / HTTP/1.1" 200 None
DEBUG:requests_kerberos.kerberos_:authenticate_user(): returning <Response [200]>
DEBUG:requests_kerberos.kerberos_:handle_401(): returning <Response [200]>
DEBUG:requests_kerberos.kerberos_:handle_response(): returning <Response [200]>
DEBUG:requests_kerberos.kerberos_:handle_response() has seen 0 401 responses
DEBUG:requests_kerberos.kerberos_:handle_other(): Handling: 200
DEBUG:requests_kerberos.kerberos_:handle_other(): returning <Response [200]>
DEBUG:requests_kerberos.kerberos_:handle_response(): returning <Response [200]>

requests==2.27.1
requests-kerberos==0.14.0
chamakuri-vineel added a commit to chamakuri-vineel/requests-kerberos that referenced this issue Sep 1, 2023
@chamakuri-vineel
Send Authorization header irrespective of previous authentication sta…
9a05cb6 
…tus (requests#178)

- Currently 'force_preemptive' flag sends the 'Authorization' header only for the
  first call and not for subsequent calls. This is because 'Authorization' header
  is preemptively sent only if the request is not authenticated. The status of
  authentication is stored as 'auth_done' instance variable.
  Since all the HTTP calls use the same instance of HTTPKerberosAuth class
  the 'auth_done' instance variable is set to True after first successful
  authentication and thus 'Authorization' header is not set preemptively
  after that.
- The fix is to send the Authorization header irrespective of the
  authentication status of previous call.
@chamakuri-vineel chamakuri-vineel mentioned this issue Sep 1, 2023
Open
@chamakuri-vineel
Copy link

This is because of the following reason:

Currently force_preemptive flag sends the Authorization header only for the first call and not for subsequent calls. This is because Authorization header is preemptively sent only if the request is not authenticated. The status of authentication is stored as auth_done instance variable. Since all the HTTP calls use the same instance of HTTPKerberosAuth class the auth_done instance variable is set to True after first successful authentication and thus Authorization header is not set preemptively after that.
Raised a PR to fix this issue #183

chamakuri-vineel added a commit to chamakuri-vineel/requests-kerberos that referenced this issue Jan 13, 2024
@chamakuri-vineel
Send Authorization header irrespective of previous authentication sta…
318fd99 
…tus (requests#178)

- Currently 'force_preemptive' flag sends the 'Authorization' header only for the
  first call and not for subsequent calls. This is because 'Authorization' header
  is preemptively sent only if the request is not authenticated. The status of
  authentication is stored as 'auth_done' instance variable.
  Since all the HTTP calls use the same instance of HTTPKerberosAuth class
  the 'auth_done' instance variable is set to True after first successful
  authentication and thus 'Authorization' header is not set preemptively
  after that.
- The fix is to send the Authorization header irrespective of the
  authentication status of previous call.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gconklin @chamakuri-vineel