Proxy Authentication

[christophvw]

Could it be that kerberos proxy authentication is not supported yet?

407 - Proxy-Authenticate', 'Proxy-Authorization

[christophvw]

patch for proxy-support

TODO:
-host should be set to the proxy server (currently you have to use hostname_override)
-fix urlib3 HTTPS proxy support

kerberos_.txt

[enzolis]

Thanks for providing this patch. I am using a company proxy which asks for authentication via Kerberos.

I changed your code slightly to check for a set proxy in case of 407 during authenticate_user to use this as the host name to get the service ticket for.

kerberos_proxy.txt

[pradyunsg]

Please consider filing pull requests instead of attaching patches as attachments to comments.

[enzolis]

Yes, you are right. Lets follow up here: #149

[nametkin]

I think that this point:

fix urlib3 HTTPS proxy support

is the main point of your TODO-list. If it were possible to solve the problem with urllib3 (or rather, the problem with the function _tunnel of module httplib/http.client that raises an OSError if it does not receive the necessary authentication data), then it would be possible to quickly implement authentication with a proxy server for all other types of authentication (digest, NTLM). But for now, despite the many issues similar to this (there was already a similar request for this requests-kerberos too - #83 ), this problem has not been resolved. We can only use various workarounds. For example, if you require preempetive authentication, you can use this approach (I mentioned it in #83 ):

import requests
from requests_kerberos import HTTPKerberosAuth
from urllib3.util import parse_url

class HTTPAdapterWithProxyKerberosAuth(requests.adapters.HTTPAdapter):
    def proxy_headers(self, proxy):
        headers = {}
        auth = HTTPKerberosAuth()
        negotiate_details = auth.generate_request_header(None, parse_url(proxy).host, is_preemptive=True)
        headers['Proxy-Authorization'] = negotiate_details
        return headers

session = requests.Session()
session.proxies = {'http': 'http://yourproxy:proxyport', 'https': 'http://yourproxy:proxyport'}
session.mount('https://', HTTPAdapterWithProxyKerberosAuth())

response = session.get("https://www.google.com/")

This approach repeats what happens in the case of Basic authentication, which the requests supports. We prepare authentication data in advance for sending to the _tunnel, so it does not raise an error. This code works for me, maybe it will come in handy for you too.
If we consider non-preempetive authentication, it might be enough to rewrite the method proxy_headers like this:

class HTTPAdapterWithProxyKerberosAuth(requests.adapters.HTTPAdapter):
    def proxy_headers(self, proxy):
        headers = {}
        proxy_response = requests.get(proxy, auth=HTTPKerberosAuth())
        headers['Proxy-Authorization'] = proxy_response.request.headers['Authorization']
        return headers

But I'm not sure it needs to be tested.

[christophvw]

https://github.com/urllib3/urllib3/blob/main/CHANGES.rst
1.26.0 (2020-11-10)
Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)

The underlying problem should be fixed now.
Any update to get this merged?

[jborean93]

Duplicate of #83