{"id":2262,"library":"requests-kerberos","title":"Requests Kerberos Authentication","description":"requests-kerberos is a Python library that provides a Kerberos authentication handler for the popular `requests` HTTP library. It enables applications to perform Kerberos/GSSAPI authentication, including mutual authentication, with web services. The current version is 0.15.0, with releases primarily driven by bug fixes, dependency updates, and feature enhancements related to Kerberos protocols.","status":"active","version":"0.15.0","language":"en","source_language":"en","source_url":"https://github.com/requests/requests-kerberos","tags":["requests","authentication","kerberos","gssapi","sso","security","http"],"install":[{"cmd":"pip install requests-kerberos","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core HTTP library this package extends.","package":"requests"},{"reason":"Underlying Kerberos/GSSAPI negotiation library (changed from older dependencies in v0.13.0).","package":"pyspnego"}],"imports":[{"symbol":"HTTPKerberosAuth","correct":"from requests_kerberos import HTTPKerberosAuth"}],"quickstart":{"code":"import requests\nimport os\nfrom requests_kerberos import HTTPKerberosAuth, REQUIRED\n\n# NOTE: This example requires an active Kerberos Ticket-Granting Ticket (TGT)\n# obtained via `kinit` or similar, or explicit principal/password (not shown).\n# Replace 'http://your-kerberos-protected-service.example.com' with your actual URL.\n\nKERBEROS_URL = os.environ.get('KERBEROS_PROTECTED_URL', 'http://your-kerberos-protected-service.example.com')\n\ntry:\n    # By default, mutual_authentication=REQUIRED (as explicitly shown here)\n    # means the client will verify the server's identity.\n    response = requests.get(KERBEROS_URL, auth=HTTPKerberosAuth(mutual_authentication=REQUIRED))\n    response.raise_for_status() # Raise an exception for HTTP errors (4xx or 5xx)\n\n    print(f\"Successfully authenticated to {KERBEROS_URL}\")\n    print(f\"Status Code: {response.status_code}\")\n    print(f\"Response content snippet: {response.text[:200]}...\")\n\nexcept requests.exceptions.RequestException as e:\n    print(f\"Error accessing Kerberos protected service: {e}\")\nexcept Exception as e:\n    print(f\"An unexpected error occurred: {e}\")\n","lang":"python","description":"This quickstart demonstrates how to make a GET request to a Kerberos-protected service. It uses `HTTPKerberosAuth` to handle the authentication handshake. Ensure you have an active Kerberos Ticket-Granting Ticket (TGT) on your system (e.g., by running `kinit`) for the default principal to be used. The `KERBEROS_PROTECTED_URL` environment variable can be used to specify the target URL, otherwise a placeholder is used."},"warnings":[{"fix":"Ensure your project is running on Python 3.6 or newer. Upgrade Python if necessary.","message":"Dropped support for Python 2 and raised the minimum Python version to 3.6.","severity":"breaking","affected_versions":">=0.13.0"},{"fix":"If you relied on `wrap_winrm` or `unwrap_winrm`, these functions are no longer available and require alternative implementations. The change to `pyspnego` is largely internal but may impact specific GSSAPI setups.","message":"The underlying Kerberos dependency changed from older libraries to `pyspnego`. Additionally, `wrap_winrm` and `unwrap_winrm` functions were removed.","severity":"breaking","affected_versions":">=0.13.0"},{"fix":"Avoid directly accessing or relying on the `_context` attribute, as it's not part of the public API and may change without notice.","message":"The `context` attribute on `HTTPKerberosAuth` was renamed to `_context` to indicate it is for internal use only.","severity":"gotcha","affected_versions":">=0.13.0"},{"fix":"For HTTPS proxying with Kerberos, an alternative approach or a different authentication library might be necessary. This limitation applies specifically to `HTTPS` over `HTTP` proxies that require Kerberos authentication.","message":"Support for proxying `HTTPS` endpoints with Kerberos authentication is not available due to limitations of the underlying `requests` and `urllib3` libraries.","severity":"gotcha","affected_versions":">=0.14.0"},{"fix":"If mutual authentication is not strictly required or is causing issues with specific services, you can set `mutual_authentication=OPTIONAL` or `mutual_authentication=DISABLED` when initializing `HTTPKerberosAuth`. Consider `sanitize_mutual_error_response=False` if you need to inspect error responses regardless of authentication status.","message":"By default, `HTTPKerberosAuth` requires mutual authentication (`mutual_authentication=REQUIRED`), meaning it will verify the server's identity. If verification fails, a `requests_kerberos.errors.MutualAuthenticationError` is raised. If a server emits an error which cannot be authenticated, the response content/headers might be stripped unless `sanitize_mutual_error_response=False` is set.","severity":"gotcha","affected_versions":"*"},{"fix":"Ensure a valid TGT is present by running `kinit` or configuring your environment for automatic TGT renewal. For programmatic control, `HTTPKerberosAuth` can accept `principal` and `password` arguments, though this is generally less secure than using a credential cache.","message":"For `requests-kerberos` to function, a Kerberos Ticket-Granting Ticket (TGT) must typically be available in the local credential cache (e.g., obtained via `kinit`). Without an active TGT, authentication attempts will fail.","severity":"gotcha","affected_versions":"*"},{"fix":"Review how `send_cbt` is configured and ensure it aligns with the new per-host behavior, especially in environments with multiple Kerberos-protected services.","message":"The implementation of Channel Binding Tokens (CBT) for `send_cbt` is now per-host. This might change behavior if your setup previously relied on a global CBT configuration.","severity":"gotcha","affected_versions":">=0.15.0"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}