Q: Best effort gssapi auth* attempt

[praiskup]

Can we somehow avoid using the Require valid-user statement, so this would be a valid pattern:

# apache pseudo-code logic ...
if user= check_gssapi_creds():
    set REMOTE_USER = user
    go_to_client_code
else:
    go_to_client_code (_anyway, but without REMOTE_USER defined)

So far with my attempts, with Require valid-user, apache returns the configured
403 page when there are no GSSAPI credentials ...
When I try anything else, like Require all granted, REMOTE_USER is never
set.

Thing is that we would like to support, on the same server routes, different
kinds of authentication mechanisms (gssapi, handled by apache, and also
API tokens sent in GET/POST headers). We would like to handle the fallback
from token to GSSAPI login in the application code.

[simo5]

For this kind of logic I recommend using a front page that is not GSSAPI protected, and redirect to a GSSAPI protected page only when GSSAPI authentication is requested.
The GSSAPI protected page should return a cookie or other header that is then used by the application to access other pages and is validated independently from mod_auth_gssapi.

[simo5]

Note that mod_auth_gssapi itself can't really do much for this scenario, this is an httpd level configuration to deal with.