directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: JWT pre-authentication - get JWT token on service side
Date Fri, 01 Jul 2016 22:31:24 GMT
Hi Colm,

I didn't check the codes yet, but generally the module should do the similar thing as Krb5LoginModule
in the post process of login. You seemed to find a bug in the new module.

@Jiajia, would you have some comments? Thanks.

Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Friday, July 01, 2016 7:09 PM
To: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side

Hi Kai,

Thanks for your reply. Ok writing a JAAS LoginModule that wraps the Kerby API is fine with
me. However, if I look at the existing TokenAuthLoginModule, it just adds the credential via:

subject.getPublicCredentials().add(krbToken);

It looks like GSS needs the TGT to be encoded in the Subject somehow?
Please look at the following @Ignore'd test. I'm getting the Subject using the TokenAuthLoginModule
and then attempting to get a service ticket using the GSS API and the Subject. It fails with
"Caused by:
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)":

https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=68933ae0

Colm.


On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Sorry for the late. Just got a chance looking at the codes closely.
>
> I thought it's clearly right in the following test, where it logins 
> first via jaas, then get tgt, then sgt, and then at last you wrap the 
> sgt in a gss token. It got the gss token (roughly a AppReq (of sgt) in 
> a token
> wrapper) and then let it be validated against a server key.
>
>     @Test
>     public void testGss() throws Exception {
>         Subject clientSubject = loginClientUsingTicketCache();
>         Set<Principal> clientPrincipals = clientSubject.getPrincipals();
>         Assert.assertFalse(clientPrincipals.isEmpty());
>
>         // Get the TGT
>         Set<KerberosTicket> privateCredentials =
>                 clientSubject.getPrivateCredentials(KerberosTicket.class);
>         Assert.assertFalse(privateCredentials.isEmpty());
>         KerberosTicket tgt = privateCredentials.iterator().next();
>         Assert.assertNotNull(tgt);
>
>         // Get the service ticket
>         KerberosClientExceptionAction action =
>                 new
> KerberosClientExceptionAction(clientPrincipals.iterator().next(),
>                         getServerPrincipal());
>
>         byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, 
> action);
>         Assert.assertNotNull(kerberosToken);
>
>         validateServiceTicket(kerberosToken);
>     }
>
> I don't think it's right here. The point is the bytes to validate at 
> the last step shouldn’t be the sgt directly, instead, it should be a 
> gss token of AppReq of the sgt. But you might ask how to generate the 
> gss token? I don't have better idea than the way used in the above 
> test method, that's to say, better to use GSSAPI layer in JRE 
> directly, since the Kerby one hasn't been ready yet.
>
> But how you proceed in the way as above? As you told in previous 
> emails, you don’t want to use jaas login modules, but rather use the 
> Kerby client api directly. I would suggest you still go starting with 
> jaas, doing everything you want in a jaas login module (like calling 
> kerby client api) and obtain a valid logined subject or security 
> context, and then do the left as you did in the above test method. It 
> should be able to work, like we did or will do in the token login module.
>
>     @Test
>     @org.junit.Ignore
>     public void testKerbyClientAndGssService() throws Exception {
>         KrbClient client = getKrbClient();
>         client.init();
>
>         try {
>             // Get a service ticket using Kerby APIs
>             TgtTicket tgt = client.requestTgt(getClientPrincipal(),
> getClientPassword());
>             Assert.assertTrue(tgt != null);
>
>             SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
>             Assert.assertTrue(tkt != null);
>
>             Credential credential = new Credential(tkt, 
> tgt.getClientPrincipal());
>             CredentialCache cCache = new CredentialCache();
>             cCache.addCredential(credential);
>             cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
>
>             ByteArrayOutputStream bout = new ByteArrayOutputStream();
>             CredCacheOutputStream os = new CredCacheOutputStream(bout);
>             cCache.store(bout);
>             os.close();
>
>             // Now validate the ticket using GSS
>             validateServiceTicket(bout.toByteArray());
>         } catch (Exception e) {
>             e.printStackTrace();
>             Assert.fail();
>         }
>     }
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Wednesday, June 29, 2016 4:37 PM
> To: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Sure, no rush :-)
>
> Colm.
>
> On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Hi Colm, I will look at this late of today. Hope it works for you.
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Tuesday, June 28, 2016 10:00 PM
> > To: kerby@directory.apache.org
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Hi Kai,
> >
> > Could you take a look at the @Ignore'd test-case I just committed:
> >
> >
> > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=bl
> > ob 
> > diff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbe
> > ro
> > s/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4d5
> > 01 
> > 1e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb=7
> > 9d
> > 4a584129026bcf920dd1ae5c28c27c6971412
> >
> > It gets a SgtTicket using Kerby and tries to get the resulting 
> > service token in byte array form to validate with GSS. Running the test leads to:
> >
> > Caused by: GSSException: Defective token detected (Mechanism level:
> > GSSHeader did not find the right tag)
> >
> > I get the same error if I just do "sgtTicket.getTicket().encode()".
> >
> > Colm.
> >
> > On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
> >
> > > I’m just back from my sleep. ☺
> > >
> > > Regarding how to get the service ticket from SgtTicket object in 
> > > bytes, probably you do sgtTicket.getTicket().encode(). If it 
> > > doesn’t work, please reference the codes in 
> > > CredCacheOutputStream.java to see how it store a ticket in a file.
> > >
> > > Regards,
> > > Kai
> > >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: Thursday, June 23, 2016 11:25 PM
> > > To: Zheng, Kai <kai.zheng@intel.com>
> > > Cc: kerby@directory.apache.org
> > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > side
> > >
> > >
> > > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <kai.zheng@intel.com
> <mailto:
> > > kai.zheng@intel.com>> wrote:
> > > I see. Why you want to validate it using GSS on the client side?
> > > Because the client gets it and then should just trust it, right? 
> > > To validate a service ticket needs the service key or keytab, 
> > > which is why I thought it could be on the server side.
> > >
> > > Just to test that it works! See the unit test called "unitGSSTest"
> here:
> > >
> > >
> > > https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-k
> > > er
> > > be
> > > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authentic
> > > at
> > > io
> > > n/AuthenticationTest.java
> > > Using the GSS API I do:
> > >
> > > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ...
> > > validateServiceTicket(ticket);
> > >
> > >
> > > I got your scenario. Are you able to obtain the service ticket or not?
> > You
> > > seem to because you said you can use a JWT token for that. But 
> > > then you asked how to access the service ticket on the client side 
> > > using the Kerby API. Did you have the SgtTicket in hand? If yes, I 
> > > thought then you can extract something from it to put into the SOAP header.
> > > Could you point to the relevant spec about that? I may then have
> concrete idea to help.
> > >
> > > Yes I have the SgtTicket in hand. Now I want to extract the 
> > > service
> > ticket
> > > from this class as an array of bytes, similar to what I get above 
> > > from Subject.doAs using the GSS API. I know how to put the 
> > > Kerberos token in
> > the
> > > SOAP header, my question is how to get it from SgtTicket in the 
> > > first
> > place
> > > :-)
> > > Thanks again for your help,
> > >
> > > Colm.
> > >
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org>]
> > > Sent: Thursday, June 23, 2016 9:40 PM
> > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > side
> > >
> > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <kai.zheng@intel.com
> <mailto:
> > > kai.zheng@intel.com>> wrote:
> > >
> > > >
> > > > >> How do I extract the token from SgtTicket that I can validate

> > > > >> using
> > > GSS?
> > > > Sorry, but where do you want to do this? App client side or 
> > > > server
> > side?
> > > > If on server side, I thought you have already made it, as your 
> > > > previous email notified, being able to query/extract the 
> > > > authorization data and get token from it. Would you clarify some bit?
> > > >
> > >
> > > On the client side. So what I want to do is use the Kerby API to 
> > > get a service ticket (using a JWT token) and then extract the 
> > > ticket from the
> > KDC
> > > response + validate it using GSS. For example, for SOAP web 
> > > services, the service ticket is inserted into the SOAP header of 
> > > the web services call
> > in
> > > BASE-64 format. So the question is, how can I get access to the 
> > > service ticket on the client side using the Kerby API?
> > >
> > > Thanks,
> > >
> > > Colm.
> > >
> > >
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org>]
> > > > Sent: Thursday, June 23, 2016 7:59 PM
> > > > To: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > > Cc: 
> > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > side
> > > >
> > > > Hi Kai,
> > > >
> > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <kai.zheng@intel.com
> > <mailto:
> > > kai.zheng@intel.com><mailto:
> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > > >
> > > > Great question. Here what you need would be a login module using 
> > > > token, and the module will send the token to KDC for a TGT to 
> > > > get a SGT that's to be used in a GSS session. We have already 
> > > > the module, please look at TokenAuthLoginModule.
> > > >
> > > > From what I can see, the TokenAuthLoginModule just gets the TGT 
> > > > and not the SGT. However, I can get the service ticket easily 
> > > > enough via the Kerby API from this. How do I extract the token 
> > > > from SgtTicket that I can validate using GSS?
> > > >
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org><mailto:
> > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > Sent: Wednesday, June 22, 2016 9:36 PM
> > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > >or
> > > >g>>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > >side
> > > >
> > > > Hi all,
> > > >
> > > > Some more questions on this task:
> > > >
> > > > 1) Kai, you mentioned the AuthzToken type. Is this defined 
> > > > somewhere so that I can add it in to the AuthorizationType class?
> > > >
> > > > 2) Currently, the TokenIssuer class asks the IdentityService for 
> > > > the authorization data. However, the IdentityService doesn't 
> > > > have access to the token. Is it reasonable default behaviour to 
> > > > insert the received token in the TokenIssuer as the 
> > > > authorization data, and if none exists fall back to ask the 
> > > > IdentityService for any authorization
> > > data?
> > > >
> > > > 3) I can extract the token on the service side using the GSS API 
> > > > in the way suggested by Kai. However, how can I send the token 
> > > > to the KDC on the client side using GSS?
> > > >
> > > > Thanks,
> > > >
> > > > Colm.
> > > >
> > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <kai.zheng@intel.com
> > <mailto:
> > > kai.zheng@intel.com><mailto:
> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > > >
> > > > > It's not a bug. It works that way, the temp value will be 
> > > > > there only after you have decode/decrypt the part.
> > > > >
> > > > > Note SGT is used/consumed in app server side, and can be 
> > > > > decrypted using the server ticket/key. I suggest you try this 
> > > > > in the GssAppTest codes using the example code I provided in 
> > > > > my last email, where you should be able to query/extract the 
> > > > > authorization data. If you put the token in the authorization 
> > > > > data, then after decoding it, you could extract token from it. 
> > > > > I remembered we had defined the AuthzToken type for this 
> > > > > actually
> but guess it's not used yet.
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org><mailto:
> > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > Sent: Friday, June 17, 2016 7:21 PM
> > > > > To: 
> > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > >or
> > > >g>>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > > side
> > > > >
> > > > > Thanks Kai and Jiajia!
> > > > >
> > > > > I'm trying to get access to the authorization data using the 
> > > > > Kerby API after getting a service ticket:
> > > > >
> > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, 
> > > > > cCacheFile.getPath());
> > > > >
> > > > > However the following is null:
> > > > >
> > > > > tkt.getTicket().getEncPart()
> > > > >
> > > > > Is this a bug or how else can I parse the ticket to get the 
> > > > > authorization data?
> > > > >
> > > > > Colm.
> > > > >
> > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai 
> > > > > <kai.zheng@intel.com
> > > <mailto:kai.zheng@intel.com><mailto:
> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > > > >
> > > > > > Thanks Jiajia for the first question!
> > > > > >
> > > > > > For the second one, since you're using GSS the even lower 
> > > > > > level, which is more fine, and should be totally doable. Ref.
> > > > > > the following
> > > > doc:
> > > > > >
> > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/
> > > > > > sp ec/c om /s un/security/jgss/ExtendedGSSContext.html
> > > > > >
> > > > > >       GSSContext ctxt = m.createContext(...)
> > > > > >       // Establishing the context
> > > > > >       if (ctxt instanceof ExtendedGSSContext) {
> > > > > >           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > > > > >           try {
> > > > > >               Key key = (key)ex.inquireSecContext(
> > > > > >                       InquireType.KRB5_GET_SESSION_KEY);
> > > > > >               // read key info
> > > > > >           } catch (GSSException gsse) {
> > > > > >               // deal with exception
> > > > > >           }
> > > > > >       }
> > > > > >
> > > > > > As you can see after established the GSS context, you can 
> > > > > > query the SESSION_KEY from the layer. You can also query 
> > > > > > AUTHZ_DATA field
> > > > > similarly!
> > > > > > After you get authz data, it's up to you to decode it, say 
> > > > > > using Kerby library to decode the ASN1 object and extract 
> > > > > > any info in it like the
> > > > > token.
> > > > > >
> > > > > > Regards,
> > > > > > Kai
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Li, Jiajia [mailto:jiajia.li@intel.com<mailto:
> > > jiajia.li@intel.com><mailto:
> > > > jiajia.li@intel.com<mailto:jiajia.li@intel.com>>]
> > > > > > Sent: Thursday, June 16, 2016 7:50 PM
> > > > > > To:
> > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > >or
> > > >g>>;
> > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>
> > > > > > Subject: RE: JWT pre-authentication - get JWT token on 
> > > > > > service side
> > > > > >
> > > > > > Hi Colm,
> > > > > >
> > > > > > For the first question: I think now the token has not been 
> > > > > > put into the issued service ticket as authorization data. 
> > > > > > You can look at issueTicket()#TgsRequest.java in server side
for detail.
> > > > > >
> > > > > > Regards,
> > > > > > Jiajia
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org><mailto:
> > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > Sent: Thursday, June 16, 2016 7:19 PM
> > > > > > To:
> > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > >or
> > > >g>>
> > > > > > Subject: Re: JWT pre-authentication - get JWT token on 
> > > > > > service side
> > > > > >
> > > > > > Thanks Kai. A few questions below.
> > > > > >
> > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai 
> > > > > > <kai.zheng@intel.com
> > > <mailto:kai.zheng@intel.com>
> > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > > > wrote:
> > > > > >
> > > > > > >
> > > > > > > 1. For issuing service ticket, the token used to do the

> > > > > > > authentication or a token derivation was put into the 
> > > > > > > issued service ticket as authorization data. I'm not sure

> > > > > > > in current Kerby impl, it has done this or not. If not,
it 
> > > > > > > should be not difficult to support it, considering we have

> > > > > > > some Kerby
> > > > authorization support now.
> > > > > > >
> > > > > >
> > > > > > I can take a look at this. Can you give me some pointers in

> > > > > > the code so that I know where to start?
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > 2. In application server side, it should be able to query

> > > > > > > and extract out the token encapsulated in the 
> > > > > > > authorization data field in the service ticket. This 
> > > > > > > should be doable now, because a proposal from me quite

> > > > > > > some ago had already been accepted by Oracle Java, as 
> > > > > > > recorded in the following ticket, though I hadn't got the

> > > > > > > chance to verify it using latest JDK update like
> > > JDK8.
> > > > > > >
> > > > > > > JDK-8044085, our extension proposal accepted and committed:
> > > > > > > allowing querying authorization data field of service ticket.
> > > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > > > > >
> > > > > >
> > > > > > The JDK service ticket only refers to SASL. If I'm just 
> > > > > > using GSS on the service side, is it already supported? If 
> > > > > > so, how can I
> > > extract it?
> > > > > >
> > > > > > Colm.
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > So in summary, if you want to try this, I would suggest

> > > > > > > please go ahead since it's doable now. Please let me know

> > > > > > > if you have other
> > > > > > questions.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Kai
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org><mailto:
> > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > > > > To:
> > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.o
> > > > > > > rg
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > >or
> > > >g>>
> > > > > > > Subject: JWT pre-authentication - get JWT token on service

> > > > > > > side
> > > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > For the JWT pre-authentication use-case, how can I get

> > > > > > > access to the token information on the service side?
> > > > > > >
> > > > > > > From the documentation: "The service authenticates the

> > > > > > > ticket, extracts the token derivation, then enforce any

> > > > > > > advanced authorization by employing the token derivation

> > > > > > > and token
> > > attributes"
> > > > > > >
> > > > > > > Is there an example in the code to look at?
> > > > > > >
> > > > > > > Colm.
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Colm O hEigeartaigh
> > > > > > >
> > > > > > > Talend Community Coder
> > > > > > > http://coders.talend.com
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Colm O hEigeartaigh
> > > > > >
> > > > > > Talend Community Coder
> > > > > > http://coders.talend.com
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message