Authentik supports this [1] too, kinda. It seems you can set it up to register y... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lq9AJ8yrfs on March 25, 2025 \| parent \| context \| favorite \| on: Open-sourcing OpenPubkey SSH (OPKSSH): integrating... Authentik supports this [1] too, kinda. It seems you can set it up to register you based on a bona fide kerberos auth, and logs you in (maybe? would have to check) with kerberos but seems to keep a parallel synchronized authenticator in its own database for OIDC and "modern" auth. Doesn't seem to embed kerberos-isms as "claims" in OIDC either. Might be awesome if it did? Or terrible, depending on how you look at it. [1] https://docs.goauthentik.io/docs/users-sources/sources/proto...

p_l on March 26, 2025 [–]

MIT Kerberos can authenticate using OIDC created token, but in my case I essentially authenticated to Keycloak with HTTP Negotiate with Kerberos, then based on data from LDAP (that was also used by Kerberos) I generated appropriate OIDC token.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact