directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: JWT pre-authentication - get JWT token on service side
Date Tue, 28 Jun 2016 13:59:48 GMT
Hi Kai,

Could you take a look at the @Ignore'd test-case I just committed:

https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=blobdiff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4d5011e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb=79d4a584129026bcf920dd1ae5c28c27c6971412

It gets a SgtTicket using Kerby and tries to get the resulting service
token in byte array form to validate with GSS. Running the test leads to:

Caused by: GSSException: Defective token detected (Mechanism level:
GSSHeader did not find the right tag)

I get the same error if I just do "sgtTicket.getTicket().encode()".

Colm.

On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> I’m just back from my sleep. ☺
>
> Regarding how to get the service ticket from SgtTicket object in bytes,
> probably you do sgtTicket.getTicket().encode(). If it doesn’t work, please
> reference the codes in CredCacheOutputStream.java to see how it store a
> ticket in a file.
>
> Regards,
> Kai
>
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Thursday, June 23, 2016 11:25 PM
> To: Zheng, Kai <kai.zheng@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
>
> On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <kai.zheng@intel.com<mailto:
> kai.zheng@intel.com>> wrote:
> I see. Why you want to validate it using GSS on the client side? Because
> the client gets it and then should just trust it, right? To validate a
> service ticket needs the service key or keytab, which is why I thought it
> could be on the server side.
>
> Just to test that it works! See the unit test called "unitGSSTest" here:
>
>
> https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-kerberos-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authentication/AuthenticationTest.java
> Using the GSS API I do:
>
> byte[] ticket = (byte[]) Subject.doAs(clientSubject, action);
> ...
> validateServiceTicket(ticket);
>
>
> I got your scenario. Are you able to obtain the service ticket or not? You
> seem to because you said you can use a JWT token for that. But then you
> asked how to access the service ticket on the client side using the Kerby
> API. Did you have the SgtTicket in hand? If yes, I thought then you can
> extract something from it to put into the SOAP header. Could you point to
> the relevant spec about that? I may then have concrete idea to help.
>
> Yes I have the SgtTicket in hand. Now I want to extract the service ticket
> from this class as an array of bytes, similar to what I get above from
> Subject.doAs using the GSS API. I know how to put the Kerberos token in the
> SOAP header, my question is how to get it from SgtTicket in the first place
> :-)
> Thanks again for your help,
>
> Colm.
>
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> Sent: Thursday, June 23, 2016 9:40 PM
> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <kai.zheng@intel.com<mailto:
> kai.zheng@intel.com>> wrote:
>
> >
> > >> How do I extract the token from SgtTicket that I can validate using
> GSS?
> > Sorry, but where do you want to do this? App client side or server side?
> > If on server side, I thought you have already made it, as your
> > previous email notified, being able to query/extract the authorization
> > data and get token from it. Would you clarify some bit?
> >
>
> On the client side. So what I want to do is use the Kerby API to get a
> service ticket (using a JWT token) and then extract the ticket from the KDC
> response + validate it using GSS. For example, for SOAP web services, the
> service ticket is inserted into the SOAP header of the web services call in
> BASE-64 format. So the question is, how can I get access to the service
> ticket on the client side using the Kerby API?
>
> Thanks,
>
> Colm.
>
>
> >
> > Regards,
> > Kai
> >
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> > Sent: Thursday, June 23, 2016 7:59 PM
> > To: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Hi Kai,
> >
> > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <kai.zheng@intel.com<mailto:
> kai.zheng@intel.com><mailto:
> > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> >
> > Great question. Here what you need would be a login module using
> > token, and the module will send the token to KDC for a TGT to get a
> > SGT that's to be used in a GSS session. We have already the module,
> > please look at TokenAuthLoginModule.
> >
> > From what I can see, the TokenAuthLoginModule just gets the TGT and
> > not the SGT. However, I can get the service ticket easily enough via
> > the Kerby API from this. How do I extract the token from SgtTicket
> > that I can validate using GSS?
> >
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > Sent: Wednesday, June 22, 2016 9:36 PM
> > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Hi all,
> >
> > Some more questions on this task:
> >
> > 1) Kai, you mentioned the AuthzToken type. Is this defined somewhere
> > so that I can add it in to the AuthorizationType class?
> >
> > 2) Currently, the TokenIssuer class asks the IdentityService for the
> > authorization data. However, the IdentityService doesn't have access
> > to the token. Is it reasonable default behaviour to insert the
> > received token in the TokenIssuer as the authorization data, and if
> > none exists fall back to ask the IdentityService for any authorization
> data?
> >
> > 3) I can extract the token on the service side using the GSS API in
> > the way suggested by Kai. However, how can I send the token to the KDC
> > on the client side using GSS?
> >
> > Thanks,
> >
> > Colm.
> >
> > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <kai.zheng@intel.com<mailto:
> kai.zheng@intel.com><mailto:
> > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> >
> > > It's not a bug. It works that way, the temp value will be there only
> > > after you have decode/decrypt the part.
> > >
> > > Note SGT is used/consumed in app server side, and can be decrypted
> > > using the server ticket/key. I suggest you try this in the
> > > GssAppTest codes using the example code I provided in my last email,
> > > where you should be able to query/extract the authorization data. If
> > > you put the token in the authorization data, then after decoding it,
> > > you could extract token from it. I remembered we had defined the
> > > AuthzToken type for this actually but guess it's not used yet.
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > Sent: Friday, June 17, 2016 7:21 PM
> > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > Subject: Re: JWT pre-authentication - get JWT token on service side
> > >
> > > Thanks Kai and Jiajia!
> > >
> > > I'm trying to get access to the authorization data using the Kerby
> > > API after getting a service ticket:
> > >
> > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc,
> > > cCacheFile.getPath());
> > >
> > > However the following is null:
> > >
> > > tkt.getTicket().getEncPart()
> > >
> > > Is this a bug or how else can I parse the ticket to get the
> > > authorization data?
> > >
> > > Colm.
> > >
> > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <kai.zheng@intel.com
> <mailto:kai.zheng@intel.com><mailto:
> > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > >
> > > > Thanks Jiajia for the first question!
> > > >
> > > > For the second one, since you're using GSS the even lower level,
> > > > which is more fine, and should be totally doable. Ref. the
> > > > following
> > doc:
> > > >
> > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/c
> > > > om /s un/security/jgss/ExtendedGSSContext.html
> > > >
> > > >       GSSContext ctxt = m.createContext(...)
> > > >       // Establishing the context
> > > >       if (ctxt instanceof ExtendedGSSContext) {
> > > >           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > > >           try {
> > > >               Key key = (key)ex.inquireSecContext(
> > > >                       InquireType.KRB5_GET_SESSION_KEY);
> > > >               // read key info
> > > >           } catch (GSSException gsse) {
> > > >               // deal with exception
> > > >           }
> > > >       }
> > > >
> > > > As you can see after established the GSS context, you can query
> > > > the SESSION_KEY from the layer. You can also query AUTHZ_DATA
> > > > field
> > > similarly!
> > > > After you get authz data, it's up to you to decode it, say using
> > > > Kerby library to decode the ASN1 object and extract any info in it
> > > > like the
> > > token.
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Li, Jiajia [mailto:jiajia.li@intel.com<mailto:
> jiajia.li@intel.com><mailto:
> > jiajia.li@intel.com<mailto:jiajia.li@intel.com>>]
> > > > Sent: Thursday, June 16, 2016 7:50 PM
> > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>;
> > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>
> > > > Subject: RE: JWT pre-authentication - get JWT token on service
> > > > side
> > > >
> > > > Hi Colm,
> > > >
> > > > For the first question: I think now the token has not been put
> > > > into the issued service ticket as authorization data. You can look
> > > > at issueTicket()#TgsRequest.java in server side for detail.
> > > >
> > > > Regards,
> > > > Jiajia
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > Sent: Thursday, June 16, 2016 7:19 PM
> > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > > side
> > > >
> > > > Thanks Kai. A few questions below.
> > > >
> > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <kai.zheng@intel.com
> <mailto:kai.zheng@intel.com>
> > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > wrote:
> > > >
> > > > >
> > > > > 1. For issuing service ticket, the token used to do the
> > > > > authentication or a token derivation was put into the issued
> > > > > service ticket as authorization data. I'm not sure in current
> > > > > Kerby impl, it has done this or not. If not, it should be not
> > > > > difficult to support it, considering we have some Kerby
> > authorization support now.
> > > > >
> > > >
> > > > I can take a look at this. Can you give me some pointers in the
> > > > code so that I know where to start?
> > > >
> > > >
> > > > >
> > > > > 2. In application server side, it should be able to query and
> > > > > extract out the token encapsulated in the authorization data
> > > > > field in the service ticket. This should be doable now, because
> > > > > a proposal from me quite some ago had already been accepted by
> > > > > Oracle Java, as recorded in the following ticket, though I
> > > > > hadn't got the chance to verify it using latest JDK update like
> JDK8.
> > > > >
> > > > > JDK-8044085, our extension proposal accepted and committed:
> > > > > allowing querying authorization data field of service ticket.
> > > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > > >
> > > >
> > > > The JDK service ticket only refers to SASL. If I'm just using GSS
> > > > on the service side, is it already supported? If so, how can I
> extract it?
> > > >
> > > > Colm.
> > > >
> > > >
> > > > >
> > > > >
> > > > > So in summary, if you want to try this, I would suggest please
> > > > > go ahead since it's doable now. Please let me know if you have
> > > > > other
> > > > questions.
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > > To:
> > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > > > Subject: JWT pre-authentication - get JWT token on service side
> > > > >
> > > > > Hi all,
> > > > >
> > > > > For the JWT pre-authentication use-case, how can I get access to
> > > > > the token information on the service side?
> > > > >
> > > > > From the documentation: "The service authenticates the ticket,
> > > > > extracts the token derivation, then enforce any advanced
> > > > > authorization by employing the token derivation and token
> attributes"
> > > > >
> > > > > Is there an example in the code to look at?
> > > > >
> > > > > Colm.
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message