directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: JWT pre-authentication - get JWT token on service side
Date Thu, 16 Jun 2016 12:01:33 GMT
Thanks Jiajia for the first question!

For the second one, since you're using GSS the even lower level, which is more fine, and should
be totally doable. Ref. the following doc:
https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/com/sun/security/jgss/ExtendedGSSContext.html

      GSSContext ctxt = m.createContext(...)
      // Establishing the context
      if (ctxt instanceof ExtendedGSSContext) {
          ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
          try {
              Key key = (key)ex.inquireSecContext(
                      InquireType.KRB5_GET_SESSION_KEY);
              // read key info
          } catch (GSSException gsse) {
              // deal with exception
          }
      }

As you can see after established the GSS context, you can query the SESSION_KEY from the layer.
You can also query AUTHZ_DATA field similarly! After you get authz data, it's up to you to
decode it, say using Kerby library to decode the ASN1 object and extract any info in it like
the token. 

Regards,
Kai

-----Original Message-----
From: Li, Jiajia [mailto:jiajia.li@intel.com] 
Sent: Thursday, June 16, 2016 7:50 PM
To: kerby@directory.apache.org; coheigea@apache.org
Subject: RE: JWT pre-authentication - get JWT token on service side

Hi Colm,

For the first question: I think now the token has not been put into the issued service ticket
as authorization data. You can look at issueTicket()#TgsRequest.java in server side for detail.

Regards,
Jiajia

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, June 16, 2016 7:19 PM
To: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side

Thanks Kai. A few questions below.

On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

>
> 1. For issuing service ticket, the token used to do the authentication 
> or a token derivation was put into the issued service ticket as 
> authorization data. I'm not sure in current Kerby impl, it has done 
> this or not. If not, it should be not difficult to support it, 
> considering we have some Kerby authorization support now.
>

I can take a look at this. Can you give me some pointers in the code so that I know where
to start?


>
> 2. In application server side, it should be able to query and extract 
> out the token encapsulated in the authorization data field in the 
> service ticket. This should be doable now, because a proposal from me 
> quite some ago had already been accepted by Oracle Java, as recorded 
> in the following ticket, though I hadn't got the chance to verify it 
> using latest JDK update like JDK8.
>
> JDK-8044085, our extension proposal accepted and committed: allowing 
> querying authorization data field of service ticket.
> https://bugs.openjdk.java.net/browse/JDK-8044085


The JDK service ticket only refers to SASL. If I'm just using GSS on the service side, is
it already supported? If so, how can I extract it?

Colm.


>
>
> So in summary, if you want to try this, I would suggest please go 
> ahead since it's doable now. Please let me know if you have other questions.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Thursday, June 16, 2016 5:54 PM
> To: kerby@directory.apache.org
> Subject: JWT pre-authentication - get JWT token on service side
>
> Hi all,
>
> For the JWT pre-authentication use-case, how can I get access to the 
> token information on the service side?
>
> From the documentation: "The service authenticates the ticket, 
> extracts the token derivation, then enforce any advanced authorization 
> by employing the token derivation and token attributes"
>
> Is there an example in the code to look at?
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message