Hey folks!

Here's my situation: I have a python-based web service that is currently authenticated via mod_auth_gssapi in Apache.
I'd like to migrate the authentication layer to Python to have more flexibility on where in the app the authentication takes place, and remove the apache layer that's only used for this (it's running in Openshift, adding layers to a container can quickly become a bit of a maintenance burden).

The trick is that this web service uses service delegation (s4u2proxy) in mod_auth_gssapi, and I can't get that to work in Python.
I've tried the asgi-gssapi and wsgi-kerberos projects (the latter with a PR to migrate it to python-gssapi instead of python-kerberos), and both don't provide me with SecurityContext.delegated_creds, it's always None. Authentication works, though, I get the principal I kinited with, no issue with that. When I use the same TLS certs and the same keytab with apache's mod_auth_gssapi, the delegation works correctly.
Here's parts of my Apache config file:

 AuthType GSSAPI
 AuthName "Kerberos Login"
 GssapiUseSessions On
 Session On
 SessionCookieName fasjson_session path=/fasjson;httponly;secure;
 SessionHeader FASJSONSESSION
 GssapiSessionKey file:/run/fasjson/session.key
 GssapiCredStore keytab:/etc/httpd/conf/fasjson.keytab
 GssapiCredStore client_keytab:/etc/httpd/conf/fasjson.keytab
 GssapiCredStore ccache:FILE:/run/fasjson/krb5ccache
 GssapiImpersonate On
 GssapiDelegCcacheDir /run/fasjson/ccaches
 GssapiDelegCcachePerms mode:0660
 GssapiUseS4U2Proxy on
 GssapiAllowedMech krb5

I wonder if there's something I must do with python-gssapi to enable delegation, that would be the equivalent of setting GssapiImpersonate and GssapiUseS4U2Proxy to "On". The docs say that it's automatic, but I'm obviously missing something.

You can see the python code here, it's not too complex, just one file:

• asgi-gssapi: https://github.com/washed-out/asgi-gssapi/blob/master/asgi_gssapi.py
• wsgi-kerberos with PR: https://github.com/svmhdvn/wsgi-kerberos/blob/python-gssapi/wsgi_kerberos.py

The client is curl in all cases, with the -u : --negotiate parameters.
On the server I'm setting the KRB5_KTNAME env var to my server keytab.
When using mod_auth_gssapi, IPA's krb5kdc.log has a TGS_REQ and a CONTSTRAINED-DELEGATION entry, and it does not have that when I use the python-gssapi libs.
You should be able to reproduce it using the example WSGI/ASGI files provided it either projects' repo (try the ASGI one first as delegation is officially supported there).
I've looked at this for hours but I haven't found what I'm doing wrong.