Support SSPI/GSSAPI multiple roundtrips for authentication #407
Description
Currently, our SSPI/GSSAPI code supports a single client/server roundtrip.
If is fine with most NEGOTIATE/Kerberos authentication patterns, but may not be the case e.g. when credential delegation or cross-realm referrals are used.
Purpose of this issue is to implement in-memory persistence of TSecContext instances, to allow server roundtrips on the server side.
There was an existing implementation in mormot.rest.server.pas from mORMot 1, but it was overcomplicated and not reusable. We would like to have something easier to work with, and usable in the other server-side authentication methods.
It is not labeled as "bug" yet, because no one reported an issue yet.
It is not a "security" issue because current pattern is safe - even if it may not be able to authentication, it won't make any security breach.