directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: JWT pre-authentication - get JWT token on service side
Date Fri, 17 Jun 2016 15:41:52 GMT
It's not a bug. It works that way, the temp value will be there only after you have decode/decrypt
the part.

Note SGT is used/consumed in app server side, and can be decrypted using the server ticket/key.
I suggest you try this in the GssAppTest codes using the example code I provided in my last
email, where you should be able to query/extract the authorization data. If you put the token
in the authorization data, then after decoding it, you could extract token from it. I remembered
we had defined the AuthzToken type for this actually but guess it's not used yet.

Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Friday, June 17, 2016 7:21 PM
To: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side

Thanks Kai and Jiajia!

I'm trying to get access to the authorization data using the Kerby API after getting a service
ticket:

SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, cCacheFile.getPath());

However the following is null:

tkt.getTicket().getEncPart()

Is this a bug or how else can I parse the ticket to get the authorization data?

Colm.

On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Thanks Jiajia for the first question!
>
> For the second one, since you're using GSS the even lower level, which 
> is more fine, and should be totally doable. Ref. the following doc:
>
> https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/com/s
> un/security/jgss/ExtendedGSSContext.html
>
>       GSSContext ctxt = m.createContext(...)
>       // Establishing the context
>       if (ctxt instanceof ExtendedGSSContext) {
>           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
>           try {
>               Key key = (key)ex.inquireSecContext(
>                       InquireType.KRB5_GET_SESSION_KEY);
>               // read key info
>           } catch (GSSException gsse) {
>               // deal with exception
>           }
>       }
>
> As you can see after established the GSS context, you can query the 
> SESSION_KEY from the layer. You can also query AUTHZ_DATA field similarly!
> After you get authz data, it's up to you to decode it, say using Kerby 
> library to decode the ASN1 object and extract any info in it like the token.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Li, Jiajia [mailto:jiajia.li@intel.com]
> Sent: Thursday, June 16, 2016 7:50 PM
> To: kerby@directory.apache.org; coheigea@apache.org
> Subject: RE: JWT pre-authentication - get JWT token on service side
>
> Hi Colm,
>
> For the first question: I think now the token has not been put into 
> the issued service ticket as authorization data. You can look at 
> issueTicket()#TgsRequest.java in server side for detail.
>
> Regards,
> Jiajia
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Thursday, June 16, 2016 7:19 PM
> To: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Thanks Kai. A few questions below.
>
> On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> >
> > 1. For issuing service ticket, the token used to do the 
> > authentication or a token derivation was put into the issued service 
> > ticket as authorization data. I'm not sure in current Kerby impl, it 
> > has done this or not. If not, it should be not difficult to support 
> > it, considering we have some Kerby authorization support now.
> >
>
> I can take a look at this. Can you give me some pointers in the code 
> so that I know where to start?
>
>
> >
> > 2. In application server side, it should be able to query and 
> > extract out the token encapsulated in the authorization data field 
> > in the service ticket. This should be doable now, because a proposal 
> > from me quite some ago had already been accepted by Oracle Java, as 
> > recorded in the following ticket, though I hadn't got the chance to 
> > verify it using latest JDK update like JDK8.
> >
> > JDK-8044085, our extension proposal accepted and committed: allowing 
> > querying authorization data field of service ticket.
> > https://bugs.openjdk.java.net/browse/JDK-8044085
>
>
> The JDK service ticket only refers to SASL. If I'm just using GSS on 
> the service side, is it already supported? If so, how can I extract it?
>
> Colm.
>
>
> >
> >
> > So in summary, if you want to try this, I would suggest please go 
> > ahead since it's doable now. Please let me know if you have other
> questions.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Thursday, June 16, 2016 5:54 PM
> > To: kerby@directory.apache.org
> > Subject: JWT pre-authentication - get JWT token on service side
> >
> > Hi all,
> >
> > For the JWT pre-authentication use-case, how can I get access to the 
> > token information on the service side?
> >
> > From the documentation: "The service authenticates the ticket, 
> > extracts the token derivation, then enforce any advanced 
> > authorization by employing the token derivation and token attributes"
> >
> > Is there an example in the code to look at?
> >
> > Colm.
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message