Skip to content

Support HTTP Authentication in HttpClient #3813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Support HTTP Authentication in HttpClient #3813

wants to merge 18 commits into from
+830 −44

Conversation

@raccoonback
Copy link
Contributor

@raccoonback raccoonback commented Jun 23, 2025
edited
Loading

Motivation

This PR adds support for SPNEGO (Kerberos) authentication to HttpClient, addressing #3079.
SPNEGO is widely used for HTTP authentication in enterprise environments, particularly those based on Kerberos.

Changes

SpnegoAuthProvider

Provides SPNEGO authentication by generating a Kerberos-based token and attaching it to the Authorization header of outgoing HTTP requests.

JaasAuthenticator

Provides a pluggable way to perform JAAS-based Kerberos login, making it easy to integrate with various authentication backends.

HttpClient.spnego(...) API

Adds a new API to configure SPNEGO authentication for HttpClient instances.

HttpClient client = HttpClient.create()
    .spnego(SpnegoAuthProvider.create(new JaasAuthenticator("KerberosLogin")));

client.get()
      .uri("http://protected.example.com/")
      .responseSingle((res, content) -> content.asString())
      .block();

jaas.conf

A JAAS(Java Authentication and Authorization Service) configuration file in Java for integrating with authentication backends such as Kerberos.

KerberosLogin {
    com.sun.security.auth.module.Krb5LoginModule required
    client=true
    useKeyTab=true
    keyTab="/path/to/test.keytab"
    principal="[email protected]"
    doNotPrompt=true
    debug=true;
};

krb5.conf

krb5.conf is a Kerberos client configuration file used to define how the client locates and communicates with the Kerberos Key Distribution Center (KDC) for authentication.

[libdefaults]
    default_realm = EXAMPLE.COM
[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com
    }
[domain_realms]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

How It Works

  • When a server responds with 401 Unauthorized and a WWW-Authenticate: Negotiate header,
    the client automatically generates a SPNEGO token using the Kerberos ticket and resends the request with the appropriate Authorization header.
  • The implementation is based on Java's GSS-API and is compatible with standard Kerberos environments.

Environment Configuration

Requires proper JAAS (jaas.conf) and Kerberos (krb5.conf) configuration.
See the updated documentation for example configuration files and JVM options.

Additional Notes

  • The SpnegoAuthProvider allows for easy extension and testing by supporting custom authenticators and GSSManager injection.
  • The feature is fully compatible with Java 1.6+ and works on both Unix and Windows environments.

@raccoonback
Copy link
Contributor Author

raccoonback commented Jun 23, 2025

I tested Kerberos authentication using the krb5 available at https://formulae.brew.sh/formula/krb5.

@raccoonback raccoonback force-pushed the issue-3079 branch 5 times, most recently from 19ccf13 to 090e1c2 Compare June 26, 2025 06:49
@raccoonback raccoonback changed the title Support SPNEGO (Kerberos) Authentication in HttpClient Support SPNEGO Authentication in HttpClient Jun 27, 2025
@raccoonback raccoonback force-pushed the issue-3079 branch 3 times, most recently from a6efd89 to 96aa2ba Compare July 1, 2025 08:57
raccoonback
raccoonback commented Jul 1, 2025
View reviewed changes
@raccoonback raccoonback force-pushed the issue-3079 branch 2 times, most recently from 8fcac3f to a77c0a5 Compare July 5, 2025 03:43
raccoonback
raccoonback commented Jul 5, 2025
View reviewed changes
@raccoonback
Copy link
Contributor Author

raccoonback commented Jul 5, 2025

@violetagg
Hello!
Please check this PR when you have a chance. 😃

@wendigo
Copy link

wendigo commented Jul 23, 2025

This is so great! Looking forward to get this in :)

@wendigo
Copy link

wendigo commented Jul 23, 2025

I can provide some guidance around APIs and configuration. Not every kerberos-enabled client uses JAAS, therefore the direct Subject/SPNEGO token support should be provided

@raccoonback
Copy link
Contributor Author

raccoonback commented Jul 24, 2025

@wendigo
Hello!
Thank you for the great point. 😀

I was thinking of allowing users to implement the SpnegoAuthenticator interface, similar to JaasAuthenticator, to support custom authentication logic if needed.

If I understood you correctly, you're suggesting that we should provide a way for users to directly supply a Subject, as in the example below:

public class DirectSubjectAuthenticator implements SpnegoAuthenticator {

    // ...
    private Subject subject;

    @Override
    public Subject login() throws LoginException {
        return subject;
    }

    // ...
}

Would you be able to share a more concrete example or use case?
It would help refine the design in the right direction.

@wendigo
Copy link

wendigo commented Jul 24, 2025

Sure @raccoonback.

I'd like to use reactor-netty in the trino CLI/JDBC/client libraries.

We support delegated/constrained/unconstrained kerberos authentication. Relevant code is here:

https://github.com/trinodb/trino/tree/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos

This is how we add it to the okhttp: https://github.com/trinodb/trino/blob/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos/SpnegoHandler.java

Configurability is important as we expose configuration that allows the user to pass remote service name, service principal name, whether to canonicalize hostname: https://github.com/trinodb/trino/blob/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos/SpnegoHandler.java#L50C5-L54C48

@raccoonback
Copy link
Contributor Author

raccoonback commented Jul 27, 2025

@violetagg
I think supporting not only JAAS-based authentication but also allowing the user to provide a GSSCredential directly could improve configurability and flexibility.
This would be especially useful in environments where JAAS is not preferred or where credentials need to be managed programmatically.
What do you think about this direction?

cc. @wendigo

@violetagg
Copy link
Member

violetagg commented Jul 28, 2025 via email

@raccoonback
Copy link
Contributor Author

raccoonback commented Jul 30, 2025

@wendigo
I've added GSSCredential-based SPNEGO authentication and support for service name and canonical hostname configuration.
Thank you for the suggestion.

@raccoonback raccoonback force-pushed the issue-3079 branch 2 times, most recently from 685924c to b082661 Compare July 30, 2025 23:39
raccoonback
raccoonback commented Jul 31, 2025
View reviewed changes
@raccoonback
Copy link
Contributor Author

raccoonback commented Aug 24, 2025

@violetagg
Hello.
I would appreciate it if you could review this PR.
Thanks!

@violetagg
Copy link
Member

violetagg commented Sep 1, 2025

@violetagg Hello. I would appreciate it if you could review this PR. Thanks!

I'm just returning fro vacation, will check it in the next days or so

@raccoonback
Copy link
Contributor Author

raccoonback commented Oct 16, 2025

@violetagg
Hello.
I would appreciate it if you could review this PR.
Thanks!

@violetagg
Copy link
Member

violetagg commented Oct 16, 2025

I will check this one ... just need to finalise some other tasks.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 17, 2025
View reviewed changes
.../java/reactor/netty/examples/documentation/http/client/authentication/token/Application.java
* Generates an authentication token for the given remote address.
* In a real application, this would retrieve or generate a valid token.
*/
static String generateAuthToken(SocketAddress remoteAddress) {

Check notice

Code scanning / CodeQL

Useless parameter Note documentation

The parameter 'remoteAddress' is never used.
@raccoonback raccoonback changed the title Support SPNEGO Authentication in HttpClient Support HTTP Authentication in HttpClient Nov 17, 2025
@raccoonback
Copy link
Contributor Author

raccoonback commented Nov 17, 2025

@violetagg
I’ve improved it in the guide you suggested.
Please review it!

violetagg
violetagg requested changes Nov 19, 2025
View reviewed changes
Copy link
Member

@violetagg violetagg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This is the direction. I have some comments related to the implementation.

reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClient.java Outdated
* @return a new {@link HttpClient}
* @since 1.3.0
*/
public final HttpClient httpAuthentication(
Copy link
Member

@violetagg violetagg Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's have two APIs (similar to what we have already)

  • httpAuthentication - this will provide just a BiConsumer
  • httpAuthenticationWhen - this will use the current signature

Copy link
Contributor Author

@raccoonback raccoonback Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@violetagg
Since the decision to apply the authenticator is made using a BiPredicate<HttpClientRequest, HttpClientResponse> predicate, I think that httpAuthentication requires both a BiPredicate and a BiConsumer.
What do you think?

Copy link
Member

@violetagg violetagg Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientConnect.java Outdated
Comment on lines 460 to 470
HttpClientOperations operations = connection.as(HttpClientOperations.class);
if (operations != null && handler.authenticationPredicate != null) {
if (handler.authenticationPredicate.test(operations, operations)) {
if (log.isDebugEnabled()) {
log.debug(format(operations.channel(), "Authentication predicate matched, triggering retry"));
}
sink.error(new HttpClientAuthenticationException());
return;
}
}

Copy link
Member

@violetagg violetagg Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is better to use the mechanism that we use for follow redirect. reactor.netty.http.client.HttpClientOperations#onInboundNext -> see how "redirecting" is used. The idea is that once we decide to retry we will need to take care of this connection, which means we drain the incoming messages, no message goes to the end user etc (we don't know whether the server will send only the headers or also some message). Basically we need to return to the connection pool a clean connection. Also because we don't send any message to the end user we can switch to auto-read = true

reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientConnect.java Outdated
Comment on lines 571 to 581
if (authenticator != null && authenticationAttempted) {
return authenticator.apply(ch, ch.address())
.then(
Mono.defer(
() -> Mono.from(requestWithBodyInternal(ch))
)
);
}

return requestWithBodyInternal(ch);
}
Copy link
Member

@violetagg violetagg Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it too early here to provide the HttpClientOperations? HttpClientOperations is still empty and we need to configure it which happens in the new method requestWithBodyInternal.

@raccoonback
Copy link
Contributor Author

raccoonback commented Nov 20, 2025

@violetagg
Should this feature also be considered in Http2WebsocketClientOperations and WebsocketClientOperations?
Since redirecting is already handled in those Operations as well, I wanted to check.

@violetagg
Copy link
Member

violetagg commented Nov 20, 2025

@violetagg Should this feature also be considered in Http2WebsocketClientOperations and WebsocketClientOperations? Since redirecting is already handled in those Operations as well, I wanted to check.

yes

@raccoonback
Support SPNEGO (Kerberos) authentication
4ddffb0 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Reuse SPNEGO token until expiry and reset on expiration
6b09c79 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Ensure GSSContext is disposed after initializing security context
5a8ff02 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Add SpnegoAuthenticationException for better error handling in SPNEGO…
956b1f8 
… authentication

Signed-off-by: raccoonback <[email protected]>
@raccoonback
Improve SPNEGO authentication retry mechanism
82dd4f6 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Support GSSCredential-based SPNEGO authentication
d1ef964 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Generalize the httpAuthentication infrastructure and remove SPNEGO-sp…
5e664fa 
…ecific design

Following the review feedback, this change updates the proposed SPNEGO-specific
implementation into a more generic authentication flow that can support various
HTTP authentication mechanisms.

Signed-off-by: raccoonback <[email protected]>
@raccoonback
Update omitting the stack trace
ee921a0 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Apply authenticator after HTTP request preparation
e35a028 
Moved authenticator to occur after the HTTP request is
prepared, ensuring configuration is completed before authentication
logic runs.

Signed-off-by: raccoonback <[email protected]>
@raccoonback
Ensure response messages are drained before authentication retry
0e05222 
Move authentication predicate evaluation from RESPONSE_RECEIVED state to response processing, ensuring all response messages are consumed before retrying with authentication.

Signed-off-by: raccoonback <[email protected]>
@raccoonback
Extend authentication handling to WebSocket operations
1865e7c 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Add httpAuthentication API and rename existing to httpAuthenticationWhen
138d7d2 
Introduce httpAuthentication(BiFunction) for automatic 401 retry, and rename the predicate-based method to httpAuthenticationWhen for clarity when custom retry conditions are needed.

Signed-off-by: raccoonback <[email protected]>
@raccoonback
Add test for HTTP authentication state propagation
721be5c 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Update documentation and examples for httpAuthentication API changes
dead58f 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Fix broken test
723ac4b 
Signed-off-by: raccoonback <[email protected]>
raccoonback
raccoonback commented Nov 20, 2025
View reviewed changes
reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClient.java
Comment on lines 1699 to 1731
/**
* Configure HTTP authentication that retries on 401 Unauthorized responses.
* <p>
* This method provides a generic authentication framework that allows users to implement
* their own authentication mechanisms (e.g., Negotiate/SPNEGO, OAuth, Bearer tokens, custom schemes).
* The framework automatically retries requests when a 401 Unauthorized response is received.
* </p>
*
* <p>Example - Token-based Authentication:</p>
* <pre>
* {@code
* HttpClient client = HttpClient.create()
* .httpAuthentication(
* // Add authentication header before request
* (req, addr) -> {
* String token = generateAuthToken(addr);
* req.header(HttpHeaderNames.AUTHORIZATION, "Bearer " + token);
* return Mono.empty();
* }
* );
* }
* </pre>
*
* @param authenticator applies authentication to the request, receives the request and remote address,
* returns a Mono that completes when authentication is applied
* @return a new {@link HttpClient}
* @since 1.3.0
* @see #httpAuthenticationWhen(BiPredicate, BiFunction)
*/
public final HttpClient httpAuthentication(
BiFunction<? super HttpClientRequest, ? super SocketAddress, ? extends Mono<Void>> authenticator) {
return httpAuthenticationWhen(HttpClientConfig.AUTHENTICATION_PREDICATE, authenticator);
}
Copy link
Contributor Author

@raccoonback raccoonback Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

support HTTP authentication that retries on 401 Unauthorized responses.

Copy link
Member

@violetagg violetagg Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I needed to be more concrete - I was thinking about these below. The idea is that if you don't need to delay the token generation (i.e. asking some other component/service for a token) then you can immediately calculate it and add it to the headers thus no need of Mono otherwise you use the variant with Mono. Does this make sense?

	public final HttpClient httpAuthentication(
			BiPredicate<HttpClientRequest, HttpClientResponse> predicate,
			BiConsumer<? super HttpClientRequest, ? super SocketAddress> authenticator) {
	}

	public final HttpClient httpAuthenticationWhen(
			BiPredicate<HttpClientRequest, HttpClientResponse> predicate,
			BiFunction<? super HttpClientRequest, ? super SocketAddress, ? extends Mono<Void>> authenticator) {
	}

Copy link
Contributor Author

@raccoonback raccoonback Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@violetagg
Feedback has been applied.
Please review it again. 🙏

@raccoonback
Fix checkstyle
d2c310c 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Copy link
Contributor Author

raccoonback commented Nov 20, 2025

@violetagg
I’ve applied all the review comments.
Please take another look. 🙂

@raccoonback
Fix test warning log
b65d57d 
Signed-off-by: raccoonback <[email protected]>
@raccoonback
Update httpAuthentication API to accept custom retry predicate
18a038c 
This change updates the httpAuthentication() method to require both a retry predicate and an authenticator, allowing users to customize when authentication retry should occur.

Signed-off-by: raccoonback <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@violetagg violetagg Awaiting requested review from violetagg

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.3.x Backlog

Development

Successfully merging this pull request may close these issues.

Support For Spnego Auth scheme support for netty HttpClient similar to Apache's

3 participants

@raccoonback @wendigo @violetagg