directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: JWT pre-authentication - get JWT token on service side
Date Wed, 29 Jun 2016 08:36:34 GMT
Sure, no rush :-)

Colm.

On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Hi Colm, I will look at this late of today. Hope it works for you.
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Tuesday, June 28, 2016 10:00 PM
> To: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Hi Kai,
>
> Could you take a look at the @Ignore'd test-case I just committed:
>
>
> https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=blobdiff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4d5011e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb=79d4a584129026bcf920dd1ae5c28c27c6971412
>
> It gets a SgtTicket using Kerby and tries to get the resulting service
> token in byte array form to validate with GSS. Running the test leads to:
>
> Caused by: GSSException: Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)
>
> I get the same error if I just do "sgtTicket.getTicket().encode()".
>
> Colm.
>
> On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > I’m just back from my sleep. ☺
> >
> > Regarding how to get the service ticket from SgtTicket object in
> > bytes, probably you do sgtTicket.getTicket().encode(). If it doesn’t
> > work, please reference the codes in CredCacheOutputStream.java to see
> > how it store a ticket in a file.
> >
> > Regards,
> > Kai
> >
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Thursday, June 23, 2016 11:25 PM
> > To: Zheng, Kai <kai.zheng@intel.com>
> > Cc: kerby@directory.apache.org
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> >
> > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <kai.zheng@intel.com<mailto:
> > kai.zheng@intel.com>> wrote:
> > I see. Why you want to validate it using GSS on the client side?
> > Because the client gets it and then should just trust it, right? To
> > validate a service ticket needs the service key or keytab, which is
> > why I thought it could be on the server side.
> >
> > Just to test that it works! See the unit test called "unitGSSTest" here:
> >
> >
> > https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-kerbe
> > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authenticatio
> > n/AuthenticationTest.java
> > Using the GSS API I do:
> >
> > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ...
> > validateServiceTicket(ticket);
> >
> >
> > I got your scenario. Are you able to obtain the service ticket or not?
> You
> > seem to because you said you can use a JWT token for that. But then you
> > asked how to access the service ticket on the client side using the Kerby
> > API. Did you have the SgtTicket in hand? If yes, I thought then you can
> > extract something from it to put into the SOAP header. Could you point to
> > the relevant spec about that? I may then have concrete idea to help.
> >
> > Yes I have the SgtTicket in hand. Now I want to extract the service
> ticket
> > from this class as an array of bytes, similar to what I get above from
> > Subject.doAs using the GSS API. I know how to put the Kerberos token in
> the
> > SOAP header, my question is how to get it from SgtTicket in the first
> place
> > :-)
> > Thanks again for your help,
> >
> > Colm.
> >
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > coheigea@apache.org>]
> > Sent: Thursday, June 23, 2016 9:40 PM
> > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <kai.zheng@intel.com<mailto:
> > kai.zheng@intel.com>> wrote:
> >
> > >
> > > >> How do I extract the token from SgtTicket that I can validate using
> > GSS?
> > > Sorry, but where do you want to do this? App client side or server
> side?
> > > If on server side, I thought you have already made it, as your
> > > previous email notified, being able to query/extract the authorization
> > > data and get token from it. Would you clarify some bit?
> > >
> >
> > On the client side. So what I want to do is use the Kerby API to get a
> > service ticket (using a JWT token) and then extract the ticket from the
> KDC
> > response + validate it using GSS. For example, for SOAP web services, the
> > service ticket is inserted into the SOAP header of the web services call
> in
> > BASE-64 format. So the question is, how can I get access to the service
> > ticket on the client side using the Kerby API?
> >
> > Thanks,
> >
> > Colm.
> >
> >
> > >
> > > Regards,
> > > Kai
> > >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > coheigea@apache.org>]
> > > Sent: Thursday, June 23, 2016 7:59 PM
> > > To: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > Subject: Re: JWT pre-authentication - get JWT token on service side
> > >
> > > Hi Kai,
> > >
> > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <kai.zheng@intel.com
> <mailto:
> > kai.zheng@intel.com><mailto:
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > >
> > > Great question. Here what you need would be a login module using
> > > token, and the module will send the token to KDC for a TGT to get a
> > > SGT that's to be used in a GSS session. We have already the module,
> > > please look at TokenAuthLoginModule.
> > >
> > > From what I can see, the TokenAuthLoginModule just gets the TGT and
> > > not the SGT. However, I can get the service ticket easily enough via
> > > the Kerby API from this. How do I extract the token from SgtTicket
> > > that I can validate using GSS?
> > >
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > Sent: Wednesday, June 22, 2016 9:36 PM
> > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > Subject: Re: JWT pre-authentication - get JWT token on service side
> > >
> > > Hi all,
> > >
> > > Some more questions on this task:
> > >
> > > 1) Kai, you mentioned the AuthzToken type. Is this defined somewhere
> > > so that I can add it in to the AuthorizationType class?
> > >
> > > 2) Currently, the TokenIssuer class asks the IdentityService for the
> > > authorization data. However, the IdentityService doesn't have access
> > > to the token. Is it reasonable default behaviour to insert the
> > > received token in the TokenIssuer as the authorization data, and if
> > > none exists fall back to ask the IdentityService for any authorization
> > data?
> > >
> > > 3) I can extract the token on the service side using the GSS API in
> > > the way suggested by Kai. However, how can I send the token to the KDC
> > > on the client side using GSS?
> > >
> > > Thanks,
> > >
> > > Colm.
> > >
> > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <kai.zheng@intel.com
> <mailto:
> > kai.zheng@intel.com><mailto:
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > >
> > > > It's not a bug. It works that way, the temp value will be there only
> > > > after you have decode/decrypt the part.
> > > >
> > > > Note SGT is used/consumed in app server side, and can be decrypted
> > > > using the server ticket/key. I suggest you try this in the
> > > > GssAppTest codes using the example code I provided in my last email,
> > > > where you should be able to query/extract the authorization data. If
> > > > you put the token in the authorization data, then after decoding it,
> > > > you could extract token from it. I remembered we had defined the
> > > > AuthzToken type for this actually but guess it's not used yet.
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > Sent: Friday, June 17, 2016 7:21 PM
> > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service side
> > > >
> > > > Thanks Kai and Jiajia!
> > > >
> > > > I'm trying to get access to the authorization data using the Kerby
> > > > API after getting a service ticket:
> > > >
> > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc,
> > > > cCacheFile.getPath());
> > > >
> > > > However the following is null:
> > > >
> > > > tkt.getTicket().getEncPart()
> > > >
> > > > Is this a bug or how else can I parse the ticket to get the
> > > > authorization data?
> > > >
> > > > Colm.
> > > >
> > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <kai.zheng@intel.com
> > <mailto:kai.zheng@intel.com><mailto:
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > > >
> > > > > Thanks Jiajia for the first question!
> > > > >
> > > > > For the second one, since you're using GSS the even lower level,
> > > > > which is more fine, and should be totally doable. Ref. the
> > > > > following
> > > doc:
> > > > >
> > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/c
> > > > > om /s un/security/jgss/ExtendedGSSContext.html
> > > > >
> > > > >       GSSContext ctxt = m.createContext(...)
> > > > >       // Establishing the context
> > > > >       if (ctxt instanceof ExtendedGSSContext) {
> > > > >           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > > > >           try {
> > > > >               Key key = (key)ex.inquireSecContext(
> > > > >                       InquireType.KRB5_GET_SESSION_KEY);
> > > > >               // read key info
> > > > >           } catch (GSSException gsse) {
> > > > >               // deal with exception
> > > > >           }
> > > > >       }
> > > > >
> > > > > As you can see after established the GSS context, you can query
> > > > > the SESSION_KEY from the layer. You can also query AUTHZ_DATA
> > > > > field
> > > > similarly!
> > > > > After you get authz data, it's up to you to decode it, say using
> > > > > Kerby library to decode the ASN1 object and extract any info in it
> > > > > like the
> > > > token.
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > -----Original Message-----
> > > > > From: Li, Jiajia [mailto:jiajia.li@intel.com<mailto:
> > jiajia.li@intel.com><mailto:
> > > jiajia.li@intel.com<mailto:jiajia.li@intel.com>>]
> > > > > Sent: Thursday, June 16, 2016 7:50 PM
> > > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>;
> > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > coheigea@apache.org<mailto:coheigea@apache.org>>
> > > > > Subject: RE: JWT pre-authentication - get JWT token on service
> > > > > side
> > > > >
> > > > > Hi Colm,
> > > > >
> > > > > For the first question: I think now the token has not been put
> > > > > into the issued service ticket as authorization data. You can look
> > > > > at issueTicket()#TgsRequest.java in server side for detail.
> > > > >
> > > > > Regards,
> > > > > Jiajia
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > Sent: Thursday, June 16, 2016 7:19 PM
> > > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > > > side
> > > > >
> > > > > Thanks Kai. A few questions below.
> > > > >
> > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <kai.zheng@intel.com
> > <mailto:kai.zheng@intel.com>
> > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > > wrote:
> > > > >
> > > > > >
> > > > > > 1. For issuing service ticket, the token used to do the
> > > > > > authentication or a token derivation was put into the issued
> > > > > > service ticket as authorization data. I'm not sure in current
> > > > > > Kerby impl, it has done this or not. If not, it should be not
> > > > > > difficult to support it, considering we have some Kerby
> > > authorization support now.
> > > > > >
> > > > >
> > > > > I can take a look at this. Can you give me some pointers in the
> > > > > code so that I know where to start?
> > > > >
> > > > >
> > > > > >
> > > > > > 2. In application server side, it should be able to query and
> > > > > > extract out the token encapsulated in the authorization data
> > > > > > field in the service ticket. This should be doable now, because
> > > > > > a proposal from me quite some ago had already been accepted
by
> > > > > > Oracle Java, as recorded in the following ticket, though I
> > > > > > hadn't got the chance to verify it using latest JDK update like
> > JDK8.
> > > > > >
> > > > > > JDK-8044085, our extension proposal accepted and committed:
> > > > > > allowing querying authorization data field of service ticket.
> > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > > > >
> > > > >
> > > > > The JDK service ticket only refers to SASL. If I'm just using GSS
> > > > > on the service side, is it already supported? If so, how can I
> > extract it?
> > > > >
> > > > > Colm.
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > So in summary, if you want to try this, I would suggest please
> > > > > > go ahead since it's doable now. Please let me know if you have
> > > > > > other
> > > > > questions.
> > > > > >
> > > > > > Regards,
> > > > > > Kai
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > > > To:
> > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
> > > > > > Subject: JWT pre-authentication - get JWT token on service side
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > For the JWT pre-authentication use-case, how can I get access
to
> > > > > > the token information on the service side?
> > > > > >
> > > > > > From the documentation: "The service authenticates the ticket,
> > > > > > extracts the token derivation, then enforce any advanced
> > > > > > authorization by employing the token derivation and token
> > attributes"
> > > > > >
> > > > > > Is there an example in the code to look at?
> > > > > >
> > > > > > Colm.
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Colm O hEigeartaigh
> > > > > >
> > > > > > Talend Community Coder
> > > > > > http://coders.talend.com
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message