Expand description
Kerberos/SPNEGO Negotiate authentication for reqwest.
This crate provides an extension trait for reqwest::RequestBuilder that adds
Kerberos SPNEGO (Negotiate) authentication support using the system’s GSSAPI library.
§Prerequisites
- A valid Kerberos ticket (obtained via
kinitor similar) - GSSAPI libraries installed on your system (
libgssapi_krb5on Linux, Heimdal on macOS)
§Basic Example
use reqwest_negotiate::NegotiateAuthExt;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let client = reqwest::Client::new();
let response = client
.get("https://api.example.com/protected")
.negotiate_auth()? // Uses default credentials and derives SPN from URL
.send()
.await?;
println!("Status: {}", response.status());
Ok(())
}§Mutual Authentication
For high-security environments, you can verify the server’s identity:
use reqwest_negotiate::NegotiateAuthExt;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let client = reqwest::Client::new();
let (builder, mut ctx) = client
.get("https://api.example.com/protected")
.negotiate_auth_mutual()?;
let response = builder.send().await?;
// Verify the server proved its identity
ctx.verify_response(&response)?;
println!("Status: {}", response.status());
Ok(())
}§Custom Service Principal
If the service principal name (SPN) differs from the standard HTTP/<hostname>:
use reqwest_negotiate::NegotiateAuthExt;
let client = reqwest::Client::new();
let response = client
.get("https://api.example.com/protected")
.negotiate_auth_with_spn("HTTP/custom.principal@REALM.COM")?
.send()
.await?;Structs§
- Negotiate
Context - Holds the GSSAPI context for mutual authentication verification.
Enums§
- Negotiate
Error - Errors that can occur during Negotiate authentication.
Traits§
- Negotiate
Auth Ext - Extension trait that adds Negotiate authentication to
reqwest::RequestBuilder.