directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: JWT pre-authentication - get JWT token on service side
Date Wed, 22 Jun 2016 15:31:21 GMT
Hi Kai,

On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> I don't quite get your 2nd question. I don't find TokenIssuer class in
> Kerby codebase.
>

Apologies, I meant "TicketIssuer". It asks the IdentifyService for the
authorization data:

 getKdcContext().getIdentityService()
                .getIdentityAuthorizationData(kdcRequest, encTicketPart);

However, I don't have access to the token in the identity service as I
said...

Colm.


>
> >> I can extract the token on the service side using the GSS API in the
> way suggested by Kai.
> I thought this is a major progress. This means you almost make all the
> thing together.
>
> >>However, how can I send the token to the KDC on the client side using
> GSS?
> Great question. Here what you need would be a login module using token,
> and the module will send the token to KDC for a TGT to get a SGT that's to
> be used in a GSS session. We have already the module, please look at
> TokenAuthLoginModule.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Wednesday, June 22, 2016 9:36 PM
> To: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Hi all,
>
> Some more questions on this task:
>
> 1) Kai, you mentioned the AuthzToken type. Is this defined somewhere so
> that I can add it in to the AuthorizationType class?
>
> 2) Currently, the TokenIssuer class asks the IdentityService for the
> authorization data. However, the IdentityService doesn't have access to the
> token. Is it reasonable default behaviour to insert the received token in
> the TokenIssuer as the authorization data, and if none exists fall back to
> ask the IdentityService for any authorization data?
>
> 3) I can extract the token on the service side using the GSS API in the
> way suggested by Kai. However, how can I send the token to the KDC on the
> client side using GSS?
>
> Thanks,
>
> Colm.
>
> On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > It's not a bug. It works that way, the temp value will be there only
> > after you have decode/decrypt the part.
> >
> > Note SGT is used/consumed in app server side, and can be decrypted
> > using the server ticket/key. I suggest you try this in the GssAppTest
> > codes using the example code I provided in my last email, where you
> > should be able to query/extract the authorization data. If you put the
> > token in the authorization data, then after decoding it, you could
> > extract token from it. I remembered we had defined the AuthzToken type
> > for this actually but guess it's not used yet.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Friday, June 17, 2016 7:21 PM
> > To: kerby@directory.apache.org
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Thanks Kai and Jiajia!
> >
> > I'm trying to get access to the authorization data using the Kerby API
> > after getting a service ticket:
> >
> > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc,
> > cCacheFile.getPath());
> >
> > However the following is null:
> >
> > tkt.getTicket().getEncPart()
> >
> > Is this a bug or how else can I parse the ticket to get the
> > authorization data?
> >
> > Colm.
> >
> > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
> >
> > > Thanks Jiajia for the first question!
> > >
> > > For the second one, since you're using GSS the even lower level,
> > > which is more fine, and should be totally doable. Ref. the following
> doc:
> > >
> > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/com
> > > /s un/security/jgss/ExtendedGSSContext.html
> > >
> > >       GSSContext ctxt = m.createContext(...)
> > >       // Establishing the context
> > >       if (ctxt instanceof ExtendedGSSContext) {
> > >           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > >           try {
> > >               Key key = (key)ex.inquireSecContext(
> > >                       InquireType.KRB5_GET_SESSION_KEY);
> > >               // read key info
> > >           } catch (GSSException gsse) {
> > >               // deal with exception
> > >           }
> > >       }
> > >
> > > As you can see after established the GSS context, you can query the
> > > SESSION_KEY from the layer. You can also query AUTHZ_DATA field
> > similarly!
> > > After you get authz data, it's up to you to decode it, say using
> > > Kerby library to decode the ASN1 object and extract any info in it
> > > like the
> > token.
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Li, Jiajia [mailto:jiajia.li@intel.com]
> > > Sent: Thursday, June 16, 2016 7:50 PM
> > > To: kerby@directory.apache.org; coheigea@apache.org
> > > Subject: RE: JWT pre-authentication - get JWT token on service side
> > >
> > > Hi Colm,
> > >
> > > For the first question: I think now the token has not been put into
> > > the issued service ticket as authorization data. You can look at
> > > issueTicket()#TgsRequest.java in server side for detail.
> > >
> > > Regards,
> > > Jiajia
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: Thursday, June 16, 2016 7:19 PM
> > > To: kerby@directory.apache.org
> > > Subject: Re: JWT pre-authentication - get JWT token on service side
> > >
> > > Thanks Kai. A few questions below.
> > >
> > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <kai.zheng@intel.com>
> > wrote:
> > >
> > > >
> > > > 1. For issuing service ticket, the token used to do the
> > > > authentication or a token derivation was put into the issued
> > > > service ticket as authorization data. I'm not sure in current
> > > > Kerby impl, it has done this or not. If not, it should be not
> > > > difficult to support it, considering we have some Kerby
> authorization support now.
> > > >
> > >
> > > I can take a look at this. Can you give me some pointers in the code
> > > so that I know where to start?
> > >
> > >
> > > >
> > > > 2. In application server side, it should be able to query and
> > > > extract out the token encapsulated in the authorization data field
> > > > in the service ticket. This should be doable now, because a
> > > > proposal from me quite some ago had already been accepted by
> > > > Oracle Java, as recorded in the following ticket, though I hadn't
> > > > got the chance to verify it using latest JDK update like JDK8.
> > > >
> > > > JDK-8044085, our extension proposal accepted and committed:
> > > > allowing querying authorization data field of service ticket.
> > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > >
> > >
> > > The JDK service ticket only refers to SASL. If I'm just using GSS on
> > > the service side, is it already supported? If so, how can I extract it?
> > >
> > > Colm.
> > >
> > >
> > > >
> > > >
> > > > So in summary, if you want to try this, I would suggest please go
> > > > ahead since it's doable now. Please let me know if you have other
> > > questions.
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > To: kerby@directory.apache.org
> > > > Subject: JWT pre-authentication - get JWT token on service side
> > > >
> > > > Hi all,
> > > >
> > > > For the JWT pre-authentication use-case, how can I get access to
> > > > the token information on the service side?
> > > >
> > > > From the documentation: "The service authenticates the ticket,
> > > > extracts the token derivation, then enforce any advanced
> > > > authorization by employing the token derivation and token attributes"
> > > >
> > > > Is there an example in the code to look at?
> > > >
> > > > Colm.
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message