github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 15:42:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #6875] Kerberos Support #19291

New Issue
Open
opened 2026-04-15 18:11:35 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-15 18:11:35 -05:00
Owner
Copy Link

Originally created by @XavierGeerinck on GitHub (Dec 19, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6875

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

I would love to open this request to see the ideas around supporting Kerberos and how the community thinks about this.

Kerberos Plugin Spec

Name

@better-auth/kerberos

Description

Instead of a full implementation, a "bridge" implementation might be "sufficient enough", where through the use of the libkrb5 library (https://github.com/adaltas/node-krb5) which does require system dependencies. Alternatively gokrb5 (no platform dependencies) or Heimdal can be considered

OAuth 2.1 can be used to let better-auth act as the "Trusted Delegate" to a local Samba 4 or MIT Kerberos instance it will need to depend on the OAuth 2.1 Token Exchange grant urn:ietf:params:oauth:grant-type:token-exchange to accept a valid subject_token and return the issued_token_type of urn:ietf:params:oauth:token-type:kerberos_ticket (https://github.com/better-auth/better-auth/pull/4163) as it will act as the front door for the bridge.

Features

  • SPN Mapping: Map SPNs to Better Auth, this should happen automatically through a auto-provisioning hook such that when user.created is called it automatically creates a "Shadow Account" in the local Samba/LDAP directory when a user signs-up via better-auth (other options might be preferrable here)
  • KDC Proxy: HTTPS endpoint to tunnel Kerberos traffic (port 88) over 443 for remote Windows clients
  • LDAP Facade: read-only LDAP interface for legacy apps that need to query "MemberOf" groups directly from the Better Auth DB
  • Clock Sync: Health-check endpoint to ensure that the Better Auth server and KDC are within < 5 min time skew required by Kerberos

Logical Flow

  1. Authentication: User logs into better auth via OIDC
  2. Request: Client (Desktop Agent) calls /token/exchange with the OIDC token, requesting access to cifs/fileserver
  3. Validation: Better Auth validates the OIDC token and looks up the user's Kerberos Principal
  4. Transition: Better Auth uses its Service Keytab to call S4U2Self against the Samba KDC
  5. Issuance: The KDC returns a service ticket for the user
  6. Delivery: Better Auth returns the ticket to the client, which injects it into the Windows session

Example Schema

user

Maps a modern web user to a Kerberos entity

This ensures that when a user logs in via Passkey, the system knows exactly which "Shadow Account" to impersonate in the local KDC.

Field Type Extra Description
krbPrincipal string unique: true, required: false The "Shadow Account" UPN (e.g., john.doe@MYDOMAIN.LOCAL)
sid string unique: true, required: false The Active Directory SID for deep legacy compatibility

kerberos_services

Whitelist of allowed SPNs

This prevents a compromised web session from requesting a ticket for sensitive services like a Domain Controller or Admin console.

Field Type Extra Description
name string required: true
spn string unique: true, required: true The Service Principal Name (e.g., cifs/fs01.domain.local)
description string
requiredRole string required: false Allowed roles/groups for this specific service
createdAt date

kerberos_delegation_log

Security Auditing

Prove exactly which OIDC session was used to generate a specific Kerberos ticket

Field Type Extra Description
userId string references: { model: "user", field: "id" }
serviceId string references: { model: "kerberos_service", field: "id" }
issuedAt date required: true
ipAddress string

Diagrams

Image

Describe the solution you'd like

A new @better-auth/kerberos plugin

Describe alternatives you've considered

Expensive Services

Additional context

No response

Originally created by @XavierGeerinck on GitHub (Dec 19, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6875 ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. I would love to open this request to see the ideas around supporting **Kerberos** and how the community thinks about this. ## Kerberos Plugin Spec ### Name `@better-auth/kerberos` ### Description Instead of a full implementation, a "bridge" implementation might be "sufficient enough", where through the use of the `libkrb5` library (https://github.com/adaltas/node-krb5) which does require system dependencies. Alternatively [gokrb5](https://github.com/jcmturner/gokrb5) (no platform dependencies) or [Heimdal](https://github.com/apple-oss-distributions/Heimdal) can be considered OAuth 2.1 can be used to let better-auth act as the "Trusted Delegate" to a local Samba 4 or MIT Kerberos instance it will need to depend on the OAuth 2.1 Token Exchange grant `urn:ietf:params:oauth:grant-type:token-exchange` to accept a valid `subject_token` and return the `issued_token_type` of `urn:ietf:params:oauth:token-type:kerberos_ticket` (https://github.com/better-auth/better-auth/pull/4163) as it will act as the front door for the bridge. #### Features * [ ] SPN Mapping: Map SPNs to Better Auth, this should happen automatically through a auto-provisioning hook such that when `user.created` is called it automatically creates a "Shadow Account" in the local Samba/LDAP directory when a user signs-up via better-auth (other options might be preferrable here) * [ ] KDC Proxy: HTTPS endpoint to tunnel Kerberos traffic (port 88) over 443 for remote Windows clients * [ ] LDAP Facade: read-only LDAP interface for legacy apps that need to query "MemberOf" groups directly from the Better Auth DB * [ ] Clock Sync: Health-check endpoint to ensure that the Better Auth server and KDC are within < 5 min time skew required by Kerberos ### Logical Flow 1. **Authentication:** User logs into better auth via OIDC 2. **Request:** Client (Desktop Agent) calls `/token/exchange` with the OIDC token, requesting access to `cifs/fileserver` 3. **Validation:** Better Auth validates the OIDC token and looks up the user's Kerberos Principal 4. **Transition:** Better Auth uses its Service Keytab to call `S4U2Self` against the Samba KDC 5. **Issuance:** The KDC returns a service ticket for the user 6. **Delivery:** Better Auth returns the ticket to the client, which injects it into the Windows session ### Example Schema **user** Maps a modern web user to a Kerberos entity > This ensures that when a user logs in via Passkey, the system knows exactly which "Shadow Account" to impersonate in the local KDC. |Field|Type|Extra|Description| |-|-|-|-| |`krbPrincipal`|`string`|`unique: true, required: false`|The "Shadow Account" UPN (e.g., `john.doe@MYDOMAIN.LOCAL`) |`sid`|`string`|`unique: true, required: false`|The Active Directory SID for deep legacy compatibility **kerberos_services** Whitelist of allowed SPNs > This prevents a compromised web session from requesting a ticket for sensitive services like a Domain Controller or Admin console. |Field|Type|Extra|Description| |-|-|-|-| |`name`|`string`|`required: true`| |`spn`|`string`|`unique: true, required: true`|The Service Principal Name (e.g., `cifs/fs01.domain.local`) |`description`|`string`|| |`requiredRole`|`string`|`required: false`|Allowed roles/groups for this specific service| |`createdAt`|`date`|| **kerberos_delegation_log** Security Auditing > Prove exactly which OIDC session was used to generate a specific Kerberos ticket |Field|Type|Extra|Description| |-|-|-|-| |`userId`|`string`|`references: { model: "user", field: "id" }`| |`serviceId`|`string`|`references: { model: "kerberos_service", field: "id" }`| |`issuedAt`|`date`|`required: true`| |`ipAddress`|`string`| ### Diagrams <img width="1240" height="860" alt="Image" src="https://github.com/user-attachments/assets/c43cac90-2587-468c-90ee-30f99cfe78e7" /> ### Describe the solution you'd like A new `@better-auth/kerberos` plugin ### Describe alternatives you've considered Expensive Services ### Additional context _No response_
GiteaMirror added the enterprise label 2026-04-15 18:11:35 -05:00
GiteaMirror commented 2026-04-15 18:11:38 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Dec 19, 2025):

Thanks for opening this issue and providing such a detailed Kerberos plugin proposal. We appreciate the idea of bridging Better Auth with Kerberos using existing libraries like node-krb5 or alternatives. Your outline—including SPN mapping, KDC proxy, LDAP façade, and clock sync—is very helpful and aligns with our vision of extended authentication capabilities. Currently, there isn’t native support for Kerberos in Better Auth, but your feature request is an excellent starting point for further discussion and exploration. We’ll review your specifications and consider them as we plan new enhancements.

Do you have any additional details or use cases you’d like to share to help further refine this proposal? Tag @better-auth-agent if you would like an answer from the Agent.

If you need more help, tag @better-auth-agent in a comment so I can respond.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3674078476 --> @better-auth-agent[bot] commented on GitHub (Dec 19, 2025): Thanks for opening this issue and providing such a detailed Kerberos plugin proposal. We appreciate the idea of bridging Better Auth with Kerberos using existing libraries like node-krb5 or alternatives. Your outline—including SPN mapping, KDC proxy, LDAP façade, and clock sync—is very helpful and aligns with our vision of extended authentication capabilities. Currently, there isn’t native support for Kerberos in Better Auth, but your feature request is an excellent starting point for further discussion and exploration. We’ll review your specifications and consider them as we plan new enhancements. Do you have any additional details or use cases you’d like to share to help further refine this proposal? Tag @better-auth-agent if you would like an answer from the Agent. _If you need more help, tag @better-auth-agent in a comment so I can respond._ <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)
GiteaMirror commented 2026-04-15 18:11:39 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Mar 20, 2026):

Hi, @XavierGeerinck. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You proposed adding Kerberos support to better-auth via a plugin using libraries like libkrb5 or gokrb5.
  • The proposal includes features such as SPN mapping and KDC proxy to bridge OAuth 2.1 token exchange with local Kerberos instances.
  • The maintainers responded positively, noting this aligns with their vision but currently have no native Kerberos support.
  • They invited you to share more use cases to help refine the proposal.
  • The issue remains unresolved with no recent updates.

Next Steps

  • Please let me know if this issue is still relevant to the latest version of better-auth by commenting here.
  • Otherwise, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

<!-- gh-comment-id:4099277952 --> @dosubot[bot] commented on GitHub (Mar 20, 2026): Hi, @XavierGeerinck. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You proposed adding Kerberos support to better-auth via a plugin using libraries like libkrb5 or gokrb5. - The proposal includes features such as SPN mapping and KDC proxy to bridge OAuth 2.1 token exchange with local Kerberos instances. - The maintainers responded positively, noting this aligns with their vision but currently have no native Kerberos support. - They invited you to share more use cases to help refine the proposal. - The issue remains unresolved with no recent updates. **Next Steps** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here. - Otherwise, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution!
GiteaMirror commented 2026-04-15 18:11:40 -05:00
Author
Owner
Copy Link

@XavierGeerinck commented on GitHub (Mar 20, 2026):

Yes still relevant

From: dosubot[bot] @.>
Sent: Friday, March 20, 2026 5:05:37 PM
To: better-auth/better-auth @.>
Cc: Xavier Geerinck @.>; Mention @.>
Subject: Re: [better-auth/better-auth] Kerberos Support (Issue #6875)

[https://avatars.githubusercontent.com/in/324583?s=20&v=4]dosubot[bot] left a comment (better-auth/better-auth#6875)https://github.com/better-auth/better-auth/issues/6875#issuecomment-4099277952

Hi, @XavierGeerinckhttps://github.com/XavierGeerinck. I'm Dosuhttps://dosu.dev, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You proposed adding Kerberos support to better-auth via a plugin using libraries like libkrb5 or gokrb5.
  • The proposal includes features such as SPN mapping and KDC proxy to bridge OAuth 2.1 token exchange with local Kerberos instances.
  • The maintainers responded positively, noting this aligns with their vision but currently have no native Kerberos support.
  • They invited you to share more use cases to help refine the proposal.
  • The issue remains unresolved with no recent updates.

Next Steps

  • Please let me know if this issue is still relevant to the latest version of better-auth by commenting here.
  • Otherwise, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!


Reply to this email directly, view it on GitHubhttps://github.com/better-auth/better-auth/issues/6875?email_source=notifications&email_token=AAEQLMXBT2UIDO2WATAM66D4RVT5DA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMBZHEZDONZZGUZKM4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#issuecomment-4099277952, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAEQLMV27R34VYCSJCQRAU34RVT5DAVCNFSM6AAAAACPQQWLPWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAOJZGI3TOOJVGI.
You are receiving this because you were mentioned.Message ID: @.***>

<!-- gh-comment-id:4099811637 --> @XavierGeerinck commented on GitHub (Mar 20, 2026): Yes still relevant ________________________________ From: dosubot[bot] ***@***.***> Sent: Friday, March 20, 2026 5:05:37 PM To: better-auth/better-auth ***@***.***> Cc: Xavier Geerinck ***@***.***>; Mention ***@***.***> Subject: Re: [better-auth/better-auth] Kerberos Support (Issue #6875) [https://avatars.githubusercontent.com/in/324583?s=20&v=4]dosubot[bot] left a comment (better-auth/better-auth#6875)<https://github.com/better-auth/better-auth/issues/6875#issuecomment-4099277952> Hi, @XavierGeerinck<https://github.com/XavierGeerinck>. I'm Dosu<https://dosu.dev>, and I'm helping the better-auth team manage their backlog and am marking this issue as stale. Issue Summary * You proposed adding Kerberos support to better-auth via a plugin using libraries like libkrb5 or gokrb5. * The proposal includes features such as SPN mapping and KDC proxy to bridge OAuth 2.1 token exchange with local Kerberos instances. * The maintainers responded positively, noting this aligns with their vision but currently have no native Kerberos support. * They invited you to share more use cases to help refine the proposal. * The issue remains unresolved with no recent updates. Next Steps * Please let me know if this issue is still relevant to the latest version of better-auth by commenting here. * Otherwise, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution! — Reply to this email directly, view it on GitHub<https://github.com/better-auth/better-auth/issues/6875?email_source=notifications&email_token=AAEQLMXBT2UIDO2WATAM66D4RVT5DA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMBZHEZDONZZGUZKM4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#issuecomment-4099277952>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAEQLMV27R34VYCSJCQRAU34RVT5DAVCNFSM6AAAAACPQQWLPWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAOJZGI3TOOJVGI>. You are receiving this because you were mentioned.Message ID: ***@***.***>
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label enterprise
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#19291
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?