How We Integrated SingleStore Studio with Kerberos

The authors integrated Kerberos authentication with SingleStoreDB Self-Managed (MySQL protocol) authentication in a browser-based application, SingleStore Studio. To achieve this, they extended the MySQL "Auth Switch Request Packet" to send an HTTP GET request to a custom API endpoint controlled by Studio's web server when it receives the "auth_gssapi_client" auth request. This endpoint implements only the first part of the SPNEGO protocol, which forces the browser to initialize the Kerberos authentication flow with the SingleStoreDB Self-Managed cluster. The frontend then grabs the service ticket from the response and injects it into the MySQL authentication packet, allowing the SingleStoreDB Self-Managed cluster to validate the service ticket and authenticate the user. This solution allows for seamless integration of Kerberos authentication in a browser-based application without requiring additional desktop distributions or dependencies.