Constrained delegation in WSGI/ASGI

[abompard]

Hey folks!

Here's my situation: I have a python-based web service that is currently authenticated via mod_auth_gssapi in Apache.
I'd like to migrate the authentication layer to Python to have more flexibility on where in the app the authentication takes place, and remove the apache layer that's only used for this (it's running in Openshift, adding layers to a container can quickly become a bit of a maintenance burden).

The trick is that this web service uses service delegation (s4u2proxy) in mod_auth_gssapi, and I can't get that to work in Python.
I've tried the asgi-gssapi and wsgi-kerberos projects (the latter with a PR to migrate it to python-gssapi instead of python-kerberos), and both don't provide me with SecurityContext.delegated_creds, it's always None. Authentication works, though, I get the principal I kinited with, no issue with that. When I use the same TLS certs and the same keytab with apache's mod_auth_gssapi, the delegation works correctly.
Here's parts of my Apache config file:

  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiUseSessions On
  Session On
  SessionCookieName fasjson_session path=/fasjson;httponly;secure;
  SessionHeader FASJSONSESSION
  GssapiSessionKey file:/run/fasjson/session.key
  GssapiCredStore keytab:/etc/httpd/conf/fasjson.keytab
  GssapiCredStore client_keytab:/etc/httpd/conf/fasjson.keytab
  GssapiCredStore ccache:FILE:/run/fasjson/krb5ccache
  GssapiImpersonate On
  GssapiDelegCcacheDir /run/fasjson/ccaches
  GssapiDelegCcachePerms mode:0660
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5

I wonder if there's something I must do with python-gssapi to enable delegation, that would be the equivalent of setting GssapiImpersonate and GssapiUseS4U2Proxy to "On". The docs say that it's automatic, but I'm obviously missing something.

You can see the python code here, it's not too complex, just one file:

• asgi-gssapi: https://github.com/washed-out/asgi-gssapi/blob/master/asgi_gssapi.py
• wsgi-kerberos with PR: https://github.com/svmhdvn/wsgi-kerberos/blob/python-gssapi/wsgi_kerberos.py

The client is curl in all cases, with the -u : --negotiate parameters.
On the server I'm setting the KRB5_KTNAME env var to my server keytab.
When using mod_auth_gssapi, IPA's krb5kdc.log has a TGS_REQ and a CONTSTRAINED-DELEGATION entry, and it does not have that when I use the python-gssapi libs.
You should be able to reproduce it using the example WSGI/ASGI files provided it either projects' repo (try the ASGI one first as delegation is officially supported there).
I've looked at this for hours but I haven't found what I'm doing wrong.

[abompard]

After a quick discussion with @simo5 , it appears that the setup was missing two things:

• it must initialize the Credentials with usage="both" (or nothing, since it's the default, but not usage="accept")
• it must set the keytab as a client_keytab too. I've set the KRB5_CLIENT_KTNAME env var (in addition to KRB5_KTNAME).

Now I need to make sure the delegated credentials aren't stored in a credentials store that is also accessible by others.