How to set username to mod_gssapi in Apache server

[Snaut1]

have the following configuration in Apache below. I need to set username from decoded Base64 JWT token. I get the correct ENV for REMOTE_USER_LOCAL, but this doesn't work with mod_gssapi:

<VirtualHost *:80>
ServerName apkrb-test1.reg.intra.net:80

SSLProxyEngine on
ProxyPass "/" "https://server_proxy/"
ProxyPassReverse "/" "https://server_proxy/"
RewriteMap jwt_decoder prg:/etc/httpd/conf.d/extract_jwt.sh
<Location / >
RewriteCond %{HTTP:Authorization} ^Bearer\s+(.+)$
RewriteRule . - [E=JWT_TOKEN:%1]
RewriteCond %{ENV:JWT_TOKEN} ^(.+)$
RewriteRule . - "[E=JWT_DECODED:${jwt_decoder:%{ENV:JWT_TOKEN}}]"
RewriteCond %{ENV:JWT_DECODED} "userPrincipalName"\s*:\s*"([^"]+)" [NC]
RewriteRule . - [E=REMOTE_USER_TEMP:%1]
RewriteCond %{ENV:REMOTE_USER_TEMP} ^(.)@reg.ad2012.loc$ [NC]
RewriteRule . - [E=REMOTE_USER:%[email protected]]
rewriteCond %{ENV:REMOTE_USER_LOCAL} ^(?!\s$).+
RewriteRule . - [E=JWT_AUTH:1]
RequestHeader set X-JWT-Auth %{JWT_AUTH}e
GssapiCredStore keytab:/etc/httpd/conf.d/t_hrkrbtest.keytab
GssapiUseS4U2Proxy On
GssapiLocalName Off
GssapiAllowedMech krb5
GSSapiImpersonate On
GssapiPublishErrors On
GssapiNegotiateOnce Off
GssapiDelegCcacheDir /etc/httpd/conf.d/krb5/
GssapiDelegCcachePerms mode=0600 uid=48 gid=48

</Location>

ErrorLog "/var/log/httpd/apkrb-test1_error.log"
LogLevel debug rewrite:trace6 env:trace6
CustomLog "/var/log/httpd/apkrb-test1_access.log" combined

In the log I see that the module auth doesn't execute the block:

[Thu May 29 17:06:16.054983 2025] [auth_gssapi:debug] [pid 25496] mod_auth_gssapi.c(702): [client 10.227.103.117:34190] Authentication user not found, skipping impersonation.
Any ideas on how I can set username to mod_gssapi module correctly?

I tried many variations. I assume that mod_gssapi started before mod_rewrite, but how can I change this? I tried do this with IfModule, but it doesn't work.

[simo5]

I am not sure what would be the purpose of what you are asking ... but there is no way to "pass a user".

mod_auth_gssapi is used to validate a ticket presented by a user to a gssapi server, the "username" is implicit in those credentials, without any credentials to validate mod_auth_gssapi is kinda useless. And with credntials the username is implicit there and there is no need to pass a username.

The only case where a username is allowed is for the basic auth fallback.
In that case you would have to construct an authentication header with the payload formatted as base64_encode(username:password) (see HTTP docs for Basic auth headers).

[Snaut1]

if so what is the KDC? Windows AD, FreeIPA/Red Hat Idm, plain MIT/Heimdal KDC ?

Windows AD

[Snaut1]

In any case mod_auth_gssapi does not read the server environment variables, it expects a user authentication happened just before the fixup facility is called, and source the user name from the internal server request structure.

then how can I transfer the UPD to the module after extracting the UPN from the jwt token? I tried the AuthType anon module, but that doesn't work either (

[simo5]

The ideal solution would be to have an authentication module that handles your JWT and sets the user variable in the request structure.

Lacking that we'd have to add an option to allow you to source the user name from some variable I guess.

You can open a feature request, but just to set expectations, I do not think I will have to time to work on new features in the near term.

Another option is that you do S4U2SELF on your own, it is not many calls, if you are already using python you should be able to use python-gssapi to make the right calls.

[Snaut1]

The ideal solution would be to have an authentication module that handles your JWT and sets the user variable in the request structure.

Lacking that we'd have to add an option to allow you to source the user name from some variable I guess.

You can open a feature request, but just to set expectations, I do not think I will have to time to work on new features in the near term.

Another option is that you do S4U2SELF on your own, it is not many calls, if you are already using python you should be able to use python-gssapi to make the right calls.

Thank you for help! i use mod_authz_jwt for validate token and extract UPN from jwt. mod_gssapi now working!