directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: JWT pre-authentication - get JWT token on service side
Date Thu, 23 Jun 2016 20:26:16 GMT
I’m just back from my sleep. ☺

Regarding how to get the service ticket from SgtTicket object in bytes, probably you do sgtTicket.getTicket().encode().
If it doesn’t work, please reference the codes in CredCacheOutputStream.java to see how
it store a ticket in a file.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, June 23, 2016 11:25 PM
To: Zheng, Kai <kai.zheng@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side


On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
I see. Why you want to validate it using GSS on the client side? Because the client gets it
and then should just trust it, right? To validate a service ticket needs the service key or
keytab, which is why I thought it could be on the server side.

Just to test that it works! See the unit test called "unitGSSTest" here:

https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-kerberos-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authentication/AuthenticationTest.java
Using the GSS API I do:

byte[] ticket = (byte[]) Subject.doAs(clientSubject, action);
...
validateServiceTicket(ticket);


I got your scenario. Are you able to obtain the service ticket or not? You seem to because
you said you can use a JWT token for that. But then you asked how to access the service ticket
on the client side using the Kerby API. Did you have the SgtTicket in hand? If yes, I thought
then you can extract something from it to put into the SOAP header. Could you point to the
relevant spec about that? I may then have concrete idea to help.

Yes I have the SgtTicket in hand. Now I want to extract the service ticket from this class
as an array of bytes, similar to what I get above from Subject.doAs using the GSS API. I know
how to put the Kerberos token in the SOAP header, my question is how to get it from SgtTicket
in the first place :-)
Thanks again for your help,

Colm.


Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Thursday, June 23, 2016 9:40 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: Re: JWT pre-authentication - get JWT token on service side

On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:

>
> >> How do I extract the token from SgtTicket that I can validate using GSS?
> Sorry, but where do you want to do this? App client side or server side?
> If on server side, I thought you have already made it, as your
> previous email notified, being able to query/extract the authorization
> data and get token from it. Would you clarify some bit?
>

On the client side. So what I want to do is use the Kerby API to get a service ticket (using
a JWT token) and then extract the ticket from the KDC response + validate it using GSS. For
example, for SOAP web services, the service ticket is inserted into the SOAP header of the
web services call in
BASE-64 format. So the question is, how can I get access to the service ticket on the client
side using the Kerby API?

Thanks,

Colm.


>
> Regards,
> Kai
>
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> Sent: Thursday, June 23, 2016 7:59 PM
> To: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Hi Kai,
>
> On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
>
> Great question. Here what you need would be a login module using
> token, and the module will send the token to KDC for a TGT to get a
> SGT that's to be used in a GSS session. We have already the module,
> please look at TokenAuthLoginModule.
>
> From what I can see, the TokenAuthLoginModule just gets the TGT and
> not the SGT. However, I can get the service ticket easily enough via
> the Kerby API from this. How do I extract the token from SgtTicket
> that I can validate using GSS?
>
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>]
> Sent: Wednesday, June 22, 2016 9:36 PM
> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Hi all,
>
> Some more questions on this task:
>
> 1) Kai, you mentioned the AuthzToken type. Is this defined somewhere
> so that I can add it in to the AuthorizationType class?
>
> 2) Currently, the TokenIssuer class asks the IdentityService for the
> authorization data. However, the IdentityService doesn't have access
> to the token. Is it reasonable default behaviour to insert the
> received token in the TokenIssuer as the authorization data, and if
> none exists fall back to ask the IdentityService for any authorization data?
>
> 3) I can extract the token on the service side using the GSS API in
> the way suggested by Kai. However, how can I send the token to the KDC
> on the client side using GSS?
>
> Thanks,
>
> Colm.
>
> On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
>
> > It's not a bug. It works that way, the temp value will be there only
> > after you have decode/decrypt the part.
> >
> > Note SGT is used/consumed in app server side, and can be decrypted
> > using the server ticket/key. I suggest you try this in the
> > GssAppTest codes using the example code I provided in my last email,
> > where you should be able to query/extract the authorization data. If
> > you put the token in the authorization data, then after decoding it,
> > you could extract token from it. I remembered we had defined the
> > AuthzToken type for this actually but guess it's not used yet.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>]
> > Sent: Friday, June 17, 2016 7:21 PM
> > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Thanks Kai and Jiajia!
> >
> > I'm trying to get access to the authorization data using the Kerby
> > API after getting a service ticket:
> >
> > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc,
> > cCacheFile.getPath());
> >
> > However the following is null:
> >
> > tkt.getTicket().getEncPart()
> >
> > Is this a bug or how else can I parse the ticket to get the
> > authorization data?
> >
> > Colm.
> >
> > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> >
> > > Thanks Jiajia for the first question!
> > >
> > > For the second one, since you're using GSS the even lower level,
> > > which is more fine, and should be totally doable. Ref. the
> > > following
> doc:
> > >
> > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/c
> > > om /s un/security/jgss/ExtendedGSSContext.html
> > >
> > >       GSSContext ctxt = m.createContext(...)
> > >       // Establishing the context
> > >       if (ctxt instanceof ExtendedGSSContext) {
> > >           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > >           try {
> > >               Key key = (key)ex.inquireSecContext(
> > >                       InquireType.KRB5_GET_SESSION_KEY);
> > >               // read key info
> > >           } catch (GSSException gsse) {
> > >               // deal with exception
> > >           }
> > >       }
> > >
> > > As you can see after established the GSS context, you can query
> > > the SESSION_KEY from the layer. You can also query AUTHZ_DATA
> > > field
> > similarly!
> > > After you get authz data, it's up to you to decode it, say using
> > > Kerby library to decode the ASN1 object and extract any info in it
> > > like the
> > token.
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Li, Jiajia [mailto:jiajia.li@intel.com<mailto:jiajia.li@intel.com><mailto:
> jiajia.li@intel.com<mailto:jiajia.li@intel.com>>]
> > > Sent: Thursday, June 16, 2016 7:50 PM
> > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>;
> coheigea@apache.org<mailto:coheigea@apache.org><mailto:coheigea@apache.org<mailto:coheigea@apache.org>>
> > > Subject: RE: JWT pre-authentication - get JWT token on service
> > > side
> > >
> > > Hi Colm,
> > >
> > > For the first question: I think now the token has not been put
> > > into the issued service ticket as authorization data. You can look
> > > at issueTicket()#TgsRequest.java in server side for detail.
> > >
> > > Regards,
> > > Jiajia
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > Sent: Thursday, June 16, 2016 7:19 PM
> > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > side
> > >
> > > Thanks Kai. A few questions below.
> > >
> > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > wrote:
> > >
> > > >
> > > > 1. For issuing service ticket, the token used to do the
> > > > authentication or a token derivation was put into the issued
> > > > service ticket as authorization data. I'm not sure in current
> > > > Kerby impl, it has done this or not. If not, it should be not
> > > > difficult to support it, considering we have some Kerby
> authorization support now.
> > > >
> > >
> > > I can take a look at this. Can you give me some pointers in the
> > > code so that I know where to start?
> > >
> > >
> > > >
> > > > 2. In application server side, it should be able to query and
> > > > extract out the token encapsulated in the authorization data
> > > > field in the service ticket. This should be doable now, because
> > > > a proposal from me quite some ago had already been accepted by
> > > > Oracle Java, as recorded in the following ticket, though I
> > > > hadn't got the chance to verify it using latest JDK update like JDK8.
> > > >
> > > > JDK-8044085, our extension proposal accepted and committed:
> > > > allowing querying authorization data field of service ticket.
> > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > >
> > >
> > > The JDK service ticket only refers to SASL. If I'm just using GSS
> > > on the service side, is it already supported? If so, how can I extract it?
> > >
> > > Colm.
> > >
> > >
> > > >
> > > >
> > > > So in summary, if you want to try this, I would suggest please
> > > > go ahead since it's doable now. Please let me know if you have
> > > > other
> > > questions.
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > To:
> > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > > Subject: JWT pre-authentication - get JWT token on service side
> > > >
> > > > Hi all,
> > > >
> > > > For the JWT pre-authentication use-case, how can I get access to
> > > > the token information on the service side?
> > > >
> > > > From the documentation: "The service authenticates the ticket,
> > > > extracts the token derivation, then enforce any advanced
> > > > authorization by employing the token derivation and token attributes"
> > > >
> > > > Is there an example in the code to look at?
> > > >
> > > > Colm.
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message