Don't ask user credentials to access / but do use Kerberos authentication to upstream

[jbostoen]

I'm researching the possibility of making Nginx reverse proxy a website for which Kerberos authentication is needed.

Assume my users are pre-authenticated and I can share the credential cache: is it possible in the current version to NOT require the user to enter credentials when accessing the website (so no pop-up to the user or no SPNEGO or whatsoever); but to still pass Kerberos credentials (from the cache file) to the upstream server?

Although it's an edge case, it would be an awesome addition.

[hawicz]

I don't this this extension will help you any, but since you seem to be talking about giving nginx direct access to per-user cred cache files you can probably write a bit of lua code to run https://github.com/elric1/gss-token with an appropriate KRB5CCNAME set, and stuff that into the WWW-Authorization:Negotiate... header that you pass to the end website.