Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add better API to support communication with Kerberos endpoints #62202

Closed
wfurt opened this issue Nov 30, 2021 · 7 comments
Closed

Add better API to support communication with Kerberos endpoints #62202

wfurt opened this issue Nov 30, 2021 · 7 comments
Labels
api-suggestion Early API idea and discussion, it is NOT ready for implementation area-System.Net.Security
Milestone
7.0.0

Comments

@wfurt
Copy link
Member

wfurt commented Nov 30, 2021

We sort of have NegotiteStream to allow mutual Kerberos authentication. However, that is custom .NET extension and it does not work agains endpoint written in other languages.
For example #60906 caused crashing regression because SqlClient depends on runtime internals and it is hard to keep in sync.
Similarly PostgresSQL writes custom wrapper around NegotiateStream to strip and add fields to make it usable.

It would be nice to have enough public API surface so projects like this can use .NET directly without jumping through weird hoops.
We would need to work out details and either extend NegotiateStream or come up with separate stream class.
@wfurt wfurt added enhancement Product code improvement that does NOT require public API changes/additions api-suggestion Early API idea and discussion, it is NOT ready for implementation area-System.Net.Security labels Nov 30, 2021
@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Nov 30, 2021
@ghost
Copy link

ghost commented Nov 30, 2021

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

We sort of have NegotiteStream to allow mutual Kerberos authentication. However, that is custom .NET extension and it does not work agains endpoint written in other languages.
For example #60906 caused crashing regression because SqlClient depends on runtime internals and it is hard to keep in sync.
Similarly PostgresSQL writes custom wrapper around NegotiateStream to strip and add fields to make it usable.

It would be nice to have enough public API surface so projects like this can use .NET directly without jumping through weird hoops.
We would need to work out details and either extend NegotiateStream or come up with separate stream class.

Author: wfurt
Assignees: -
Labels:

enhancement, api-suggestion, area-System.Net.Security
Milestone: -

@karelz karelz removed enhancement Product code improvement that does NOT require public API changes/additions untriaged New issue has not been triaged by the area owner labels Nov 30, 2021
@karelz karelz added this to the 7.0.0 milestone Nov 30, 2021
@karelz
Copy link
Member

karelz commented Nov 30, 2021

Related to #29270

@karelz
Copy link
Member

karelz commented Nov 30, 2021

Triage: We would like to support database clients in better way in 7.0.

This was referenced Feb 17, 2022
Closed
Closed
@wfurt wfurt mentioned this issue May 27, 2022
Closed
@wfurt wfurt modified the milestones: 7.0.0, Future Jun 15, 2022
@wfurt wfurt mentioned this issue Jun 16, 2022
Closed
@filipnavara
Copy link
Member

I checked what would be necessary to port dotnet/SqlClient to the new NegotiateAuthentication API. The missing piece are two flags on the authentication (Delegate, MutualAuth). API suggestion is in #70982.

@wfurt
Copy link
Member Author

wfurt commented Jun 24, 2022

Thanks @filipnavara. The other chunk I"m aware of is Postgress Driver https://github.com/npgsql/npgsql/blob/00ee7a8a47cc61b9419dd334851ec5184ab5bcdd/src/Npgsql/Internal/NpgsqlConnector.Auth.cs

cc: @roji

@filipnavara
Copy link
Member

filipnavara commented Jun 24, 2022
edited
Loading

PostgreSQL driver has essentially identical requirements. NPgSQL already wraps the public NegotiateStream API. It doesn't use the encrypt/decrypt part of NegotiateStream after authentication was established. #70982 API is basically guaranteed to cover the needs since I reimplemented full NegotiateStream authentication on top of it (+ the Wrap/Unwrap for encrypt/decrypt but that part is not necessary for NPgSQL).

@wfurt wfurt modified the milestones: Future, 7.0.0 Jul 13, 2022
@wfurt
Copy link
Member Author

wfurt commented Jul 13, 2022

closing this as #70982 is merged.

@ghost ghost locked as resolved and limited conversation to collaborators Aug 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api-suggestion Early API idea and discussion, it is NOT ready for implementation area-System.Net.Security
Projects
None yet
Milestone
7.0.0
Development

No branches or pull requests
3 participants
@filipnavara @karelz @wfurt