GSSAPI/kerberos/SPNEGO module for rack - anybody?

Short question: does anybody know of such or would be interested in such?

Long story: for inhouse web application, logging on each and every of them is a nuisance. Not logging on (anon access) is also not feasible, because then the app doesn’t know the username.

There is a solution, it is single-sign-on: when you first logon to your laptop, a credential is retrieved from a central key server. And afterwards that credential acts as a voucher to log you onto any network service you want to (and have the right to) use, no further questions asked.

There is one web application (that I know of) where this is implemented and works (and it works like a charm!), and that is pgadmin4 in server mode. That one is python-based, but that proves that it is possible to implement and could be done in ruby as well.

Practically it works like this: the user logs onto their device and obtains a ticket from a central key-server. The ticket has a limited lifetime (8 hours) and is stored locally. Firefox needs to be configured in about:config with the allowed peer-hosts (webservers) for this feature. Then firefox will grab the ticket and send it inside the HTTP header (there is a protocol defined for that, SPNEGO, and it involves multiple request-reply cycles, so it is a bit of a problem to get through a reverse proxy, but manageable) to the web-app-server - which then determines (verifies) the username from it. Optionally the web-app-server can then forward the ticket to another application, e.g. the database, and open a database session on behalf of the user, with the user’s credentials. This is what pgadmin4 does (which is a tool to administer postgres databases - and postgres includes an excellent GSSAPI implementation), it is maybe not so much of a usecase with RoR (but there might be).

The main point is, we go through this whole chain without ever configuring passwords anywhere.

There are some bits and pieces around, like this one http://www.httpirb.com/ that states they can do SPNEGO - but that is client side. What would be needed is the server side SPNEGO routines to be placed into rack.