directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: JWT pre-authentication - get JWT token on service side
Date Mon, 04 Jul 2016 15:01:31 GMT
Regarding how to place the login module, I thought of putting it in kerb-client module in a
separate package like 'jaas', would be good to do it because it sounds some useful now. We
may have more such modules when more authentication mechanisms out to be supported in future.
We often draft some codes in tests initially, when it looks good then we promote it to some
better place.

About supporting 'access' token in your case, I agree having some way to come up the initator
GSS token out wrapping the service ticket to send out would be ideal and natural. That's why
we're working on kerby based GSS support. Currently most of the work are done in the gssapi
branch contributed by Wei Zhou, but I have never got the chance to play around with it and
verify it works or not. Currently our guys are pretty busy with other takings, and will be
back to such tasks probably in a month or so.

Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Monday, July 04, 2016 7:52 PM
To: kerby@directory.apache.org
Cc: Zheng, Kai <kai.zheng@intel.com>
Subject: Re: JWT pre-authentication - get JWT token on service side

Thanks Jiajia, it's working well now. With regards to the LoginModule, I made some changes
to fix some NPEs. I also changed the logic slightly, so that if the signing key is not specified,
it just reads in the token from the cache and writes it out "as is". If the token was issued
by say an OpenId Connect service, the client shouldn't be signing it again. Perhaps the logic
could be rewritten a bit, I'm open to any ideas. Two questions on the LoginModule itself:

a) Perhaps the LoginModule should be moved from the "integration-test"
module? Or at least rename the module to something like "token-integration".
b) The LoginModule itself is not adding the KerberosPrincipal to the Subject, I think it should
do this rather than have the test code add the Subject before the LoginModule is invoked.

Getting back to the use-case itself, I think the main scenario of interest is where the JWT
Token is the "access" rather than "identity" case. So the client gets a token from an OpenId
Connect authorization service targetted at a kerberized service. The client must then get
a token for the service using the JWT token, etc.

Using the LoginModule + GSS approach as above works well for the "identity"
case, where we're using the JWT token to get a TGT. But how can it work for the case of using
the JWT to get a Service ticket? With the first approach we're using the GSS API to get the
service ticket, and I'm not sure if it's possible to change this to specify the JWT token
somehow?

Colm.



On Mon, Jul 4, 2016 at 7:41 AM, Li, Jiajia <jiajia.li@intel.com> wrote:

> I think this commit can fix the issue:
>
>
> https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=commit
> ;h=358340dd2a60a36a69988f1dd7c509cf585acdc8
>
> @Colm, can you check it?
>
> Thanks
> Jiajia
>
> -----Original Message-----
> From: Li, Jiajia [mailto:jiajia.li@intel.com]
> Sent: Monday, July 4, 2016 12:07 PM
> To: Zheng, Kai <kai.zheng@intel.com>; kerby@directory.apache.org; 
> coheigea@apache.org
> Subject: RE: JWT pre-authentication - get JWT token on service side
>
> Hi Colm,
>
> As Kai said, it's  a bug in new module.
>
> >>However, if I look at the existing TokenAuthLoginModule, it just 
> >>adds
> the credential via:
> >>subject.getPublicCredentials().add(krbToken);
> >> It looks like GSS needs the TGT to be encoded in the Subject somehow?
>
> Yes, in the TokenAuthLoginModule, some credentials should be added to 
> subject private credentials.
> I will take some time to fix it.
>
> Regards,
> Jiajia
>
> -----Original Message-----
> From: Zheng, Kai
> Sent: Saturday, July 2, 2016 6:31 AM
> To: kerby@directory.apache.org; coheigea@apache.org; Li, Jiajia < 
> jiajia.li@intel.com>
> Subject: RE: JWT pre-authentication - get JWT token on service side
>
> Hi Colm,
>
> I didn't check the codes yet, but generally the module should do the 
> similar thing as Krb5LoginModule in the post process of login. You 
> seemed to find a bug in the new module.
>
> @Jiajia, would you have some comments? Thanks.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, July 01, 2016 7:09 PM
> To: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Hi Kai,
>
> Thanks for your reply. Ok writing a JAAS LoginModule that wraps the 
> Kerby API is fine with me. However, if I look at the existing 
> TokenAuthLoginModule, it just adds the credential via:
>
> subject.getPublicCredentials().add(krbToken);
>
> It looks like GSS needs the TGT to be encoded in the Subject somehow?
> Please look at the following @Ignore'd test. I'm getting the Subject 
> using the TokenAuthLoginModule and then attempting to get a service 
> ticket using the GSS API and the Subject. It fails with "Caused by:
> org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt)":
>
>
> https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=comm
> it;h=68933ae0
>
> Colm.
>
>
> On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Sorry for the late. Just got a chance looking at the codes closely.
> >
> > I thought it's clearly right in the following test, where it logins 
> > first via jaas, then get tgt, then sgt, and then at last you wrap 
> > the sgt in a gss token. It got the gss token (roughly a AppReq (of 
> > sgt) in a token
> > wrapper) and then let it be validated against a server key.
> >
> >     @Test
> >     public void testGss() throws Exception {
> >         Subject clientSubject = loginClientUsingTicketCache();
> >         Set<Principal> clientPrincipals = clientSubject.getPrincipals();
> >         Assert.assertFalse(clientPrincipals.isEmpty());
> >
> >         // Get the TGT
> >         Set<KerberosTicket> privateCredentials =
> >
>  clientSubject.getPrivateCredentials(KerberosTicket.class);
> >         Assert.assertFalse(privateCredentials.isEmpty());
> >         KerberosTicket tgt = privateCredentials.iterator().next();
> >         Assert.assertNotNull(tgt);
> >
> >         // Get the service ticket
> >         KerberosClientExceptionAction action =
> >                 new
> > KerberosClientExceptionAction(clientPrincipals.iterator().next(),
> >                         getServerPrincipal());
> >
> >         byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, 
> > action);
> >         Assert.assertNotNull(kerberosToken);
> >
> >         validateServiceTicket(kerberosToken);
> >     }
> >
> > I don't think it's right here. The point is the bytes to validate at 
> > the last step shouldn’t be the sgt directly, instead, it should be a 
> > gss token of AppReq of the sgt. But you might ask how to generate 
> > the gss token? I don't have better idea than the way used in the 
> > above test method, that's to say, better to use GSSAPI layer in JRE 
> > directly, since the Kerby one hasn't been ready yet.
> >
> > But how you proceed in the way as above? As you told in previous 
> > emails, you don’t want to use jaas login modules, but rather use the 
> > Kerby client api directly. I would suggest you still go starting 
> > with jaas, doing everything you want in a jaas login module (like 
> > calling kerby client api) and obtain a valid logined subject or 
> > security context, and then do the left as you did in the above test 
> > method. It should be able to work, like we did or will do in the token login module.
> >
> >     @Test
> >     @org.junit.Ignore
> >     public void testKerbyClientAndGssService() throws Exception {
> >         KrbClient client = getKrbClient();
> >         client.init();
> >
> >         try {
> >             // Get a service ticket using Kerby APIs
> >             TgtTicket tgt = client.requestTgt(getClientPrincipal(),
> > getClientPassword());
> >             Assert.assertTrue(tgt != null);
> >
> >             SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
> >             Assert.assertTrue(tkt != null);
> >
> >             Credential credential = new Credential(tkt, 
> > tgt.getClientPrincipal());
> >             CredentialCache cCache = new CredentialCache();
> >             cCache.addCredential(credential);
> >             cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
> >
> >             ByteArrayOutputStream bout = new ByteArrayOutputStream();
> >             CredCacheOutputStream os = new CredCacheOutputStream(bout);
> >             cCache.store(bout);
> >             os.close();
> >
> >             // Now validate the ticket using GSS
> >             validateServiceTicket(bout.toByteArray());
> >         } catch (Exception e) {
> >             e.printStackTrace();
> >             Assert.fail();
> >         }
> >     }
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Wednesday, June 29, 2016 4:37 PM
> > To: kerby@directory.apache.org
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Sure, no rush :-)
> >
> > Colm.
> >
> > On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
> >
> > > Hi Colm, I will look at this late of today. Hope it works for you.
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: Tuesday, June 28, 2016 10:00 PM
> > > To: kerby@directory.apache.org
> > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > side
> > >
> > > Hi Kai,
> > >
> > > Could you take a look at the @Ignore'd test-case I just committed:
> > >
> > >
> > > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=
> > > bl
> > > ob
> > > diff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/ker
> > > be
> > > ro
> > > s/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542a4
> > > d5
> > > 01
> > > 1e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;hpb
> > > =7
> > > 9d
> > > 4a584129026bcf920dd1ae5c28c27c6971412
> > >
> > > It gets a SgtTicket using Kerby and tries to get the resulting 
> > > service token in byte array form to validate with GSS. Running the
> test leads to:
> > >
> > > Caused by: GSSException: Defective token detected (Mechanism level:
> > > GSSHeader did not find the right tag)
> > >
> > > I get the same error if I just do "sgtTicket.getTicket().encode()".
> > >
> > > Colm.
> > >
> > > On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <kai.zheng@intel.com>
> wrote:
> > >
> > > > I’m just back from my sleep. ☺
> > > >
> > > > Regarding how to get the service ticket from SgtTicket object in 
> > > > bytes, probably you do sgtTicket.getTicket().encode(). If it 
> > > > doesn’t work, please reference the codes in 
> > > > CredCacheOutputStream.java to see how it store a ticket in a file.
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > > Sent: Thursday, June 23, 2016 11:25 PM
> > > > To: Zheng, Kai <kai.zheng@intel.com>
> > > > Cc: kerby@directory.apache.org
> > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > side
> > > >
> > > >
> > > > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai <kai.zheng@intel.com
> > <mailto:
> > > > kai.zheng@intel.com>> wrote:
> > > > I see. Why you want to validate it using GSS on the client side?
> > > > Because the client gets it and then should just trust it, right?
> > > > To validate a service ticket needs the service key or keytab, 
> > > > which is why I thought it could be on the server side.
> > > >
> > > > Just to test that it works! See the unit test called "unitGSSTest"
> > here:
> > > >
> > > >
> > > > https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf
> > > > -k
> > > > er
> > > > be
> > > > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authent
> > > > ic
> > > > at
> > > > io
> > > > n/AuthenticationTest.java
> > > > Using the GSS API I do:
> > > >
> > > > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ...
> > > > validateServiceTicket(ticket);
> > > >
> > > >
> > > > I got your scenario. Are you able to obtain the service ticket 
> > > > or
> not?
> > > You
> > > > seem to because you said you can use a JWT token for that. But 
> > > > then you asked how to access the service ticket on the client 
> > > > side using the Kerby API. Did you have the SgtTicket in hand? If 
> > > > yes, I thought then you can extract something from it to put 
> > > > into the SOAP
> header.
> > > > Could you point to the relevant spec about that? I may then have
> > concrete idea to help.
> > > >
> > > > Yes I have the SgtTicket in hand. Now I want to extract the 
> > > > service
> > > ticket
> > > > from this class as an array of bytes, similar to what I get 
> > > > above from Subject.doAs using the GSS API. I know how to put the 
> > > > Kerberos token in
> > > the
> > > > SOAP header, my question is how to get it from SgtTicket in the 
> > > > first
> > > place
> > > > :-)
> > > > Thanks again for your help,
> > > >
> > > > Colm.
> > > >
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > > coheigea@apache.org>]
> > > > Sent: Thursday, June 23, 2016 9:40 PM
> > > > To: 
> > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > side
> > > >
> > > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <kai.zheng@intel.com
> > <mailto:
> > > > kai.zheng@intel.com>> wrote:
> > > >
> > > > >
> > > > > >> How do I extract the token from SgtTicket that I can 
> > > > > >> validate using
> > > > GSS?
> > > > > Sorry, but where do you want to do this? App client side or 
> > > > > server
> > > side?
> > > > > If on server side, I thought you have already made it, as your 
> > > > > previous email notified, being able to query/extract the 
> > > > > authorization data and get token from it. Would you clarify 
> > > > > some
> bit?
> > > > >
> > > >
> > > > On the client side. So what I want to do is use the Kerby API to 
> > > > get a service ticket (using a JWT token) and then extract the 
> > > > ticket from the
> > > KDC
> > > > response + validate it using GSS. For example, for SOAP web 
> > > > services, the service ticket is inserted into the SOAP header of 
> > > > the web services call
> > > in
> > > > BASE-64 format. So the question is, how can I get access to the 
> > > > service ticket on the client side using the Kerby API?
> > > >
> > > > Thanks,
> > > >
> > > > Colm.
> > > >
> > > >
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > > coheigea@apache.org>]
> > > > > Sent: Thursday, June 23, 2016 7:59 PM
> > > > > To: Zheng, Kai 
> > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > > > Cc:
> > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > > side
> > > > >
> > > > > Hi Kai,
> > > > >
> > > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai 
> > > > > <kai.zheng@intel.com
> > > <mailto:
> > > > kai.zheng@intel.com><mailto:
> > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > > > >
> > > > > Great question. Here what you need would be a login module 
> > > > > using token, and the module will send the token to KDC for a 
> > > > > TGT to get a SGT that's to be used in a GSS session. We have 
> > > > > already the module, please look at TokenAuthLoginModule.
> > > > >
> > > > > From what I can see, the TokenAuthLoginModule just gets the 
> > > > > TGT and not the SGT. However, I can get the service ticket 
> > > > > easily enough via the Kerby API from this. How do I extract 
> > > > > the token from SgtTicket that I can validate using GSS?
> > > > >
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > > coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > Sent: Wednesday, June 22, 2016 9:36 PM
> > > > > To: 
> > > > >kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > > >or
> > > > >g>>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > >side
> > > > >
> > > > > Hi all,
> > > > >
> > > > > Some more questions on this task:
> > > > >
> > > > > 1) Kai, you mentioned the AuthzToken type. Is this defined 
> > > > > somewhere so that I can add it in to the AuthorizationType class?
> > > > >
> > > > > 2) Currently, the TokenIssuer class asks the IdentityService 
> > > > > for the authorization data. However, the IdentityService 
> > > > > doesn't have access to the token. Is it reasonable default 
> > > > > behaviour to insert the received token in the TokenIssuer as 
> > > > > the authorization data, and if none exists fall back to ask 
> > > > > the IdentityService for any authorization
> > > > data?
> > > > >
> > > > > 3) I can extract the token on the service side using the GSS 
> > > > > API in the way suggested by Kai. However, how can I send the 
> > > > > token to the KDC on the client side using GSS?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Colm.
> > > > >
> > > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai 
> > > > > <kai.zheng@intel.com
> > > <mailto:
> > > > kai.zheng@intel.com><mailto:
> > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > > > >
> > > > > > It's not a bug. It works that way, the temp value will be 
> > > > > > there only after you have decode/decrypt the part.
> > > > > >
> > > > > > Note SGT is used/consumed in app server side, and can be 
> > > > > > decrypted using the server ticket/key. I suggest you try 
> > > > > > this in the GssAppTest codes using the example code I 
> > > > > > provided in my last email, where you should be able to 
> > > > > > query/extract the authorization data. If you put the token 
> > > > > > in the authorization data, then after decoding it, you could
extract token from it.
> > > > > > I remembered we had defined the AuthzToken type for this 
> > > > > > actually
> > but guess it's not used yet.
> > > > > >
> > > > > > Regards,
> > > > > > Kai
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > > coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > Sent: Friday, June 17, 2016 7:21 PM
> > > > > > To:
> > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > > >or
> > > > >g>>
> > > > > > Subject: Re: JWT pre-authentication - get JWT token on 
> > > > > > service side
> > > > > >
> > > > > > Thanks Kai and Jiajia!
> > > > > >
> > > > > > I'm trying to get access to the authorization data using the

> > > > > > Kerby API after getting a service ticket:
> > > > > >
> > > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, 
> > > > > > serverPrinc, cCacheFile.getPath());
> > > > > >
> > > > > > However the following is null:
> > > > > >
> > > > > > tkt.getTicket().getEncPart()
> > > > > >
> > > > > > Is this a bug or how else can I parse the ticket to get the

> > > > > > authorization data?
> > > > > >
> > > > > > Colm.
> > > > > >
> > > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai 
> > > > > > <kai.zheng@intel.com
> > > > <mailto:kai.zheng@intel.com><mailto:
> > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>> wrote:
> > > > > >
> > > > > > > Thanks Jiajia for the first question!
> > > > > > >
> > > > > > > For the second one, since you're using GSS the even lower

> > > > > > > level, which is more fine, and should be totally doable.
Ref.
> > > > > > > the following
> > > > > doc:
> > > > > > >
> > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgs
> > > > > > > s/ sp ec/c om /s un/security/jgss/ExtendedGSSContext.html
> > > > > > >
> > > > > > >       GSSContext ctxt = m.createContext(...)
> > > > > > >       // Establishing the context
> > > > > > >       if (ctxt instanceof ExtendedGSSContext) {
> > > > > > >           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > > > > > >           try {
> > > > > > >               Key key = (key)ex.inquireSecContext(
> > > > > > >                       InquireType.KRB5_GET_SESSION_KEY);
> > > > > > >               // read key info
> > > > > > >           } catch (GSSException gsse) {
> > > > > > >               // deal with exception
> > > > > > >           }
> > > > > > >       }
> > > > > > >
> > > > > > > As you can see after established the GSS context, you can

> > > > > > > query the SESSION_KEY from the layer. You can also query

> > > > > > > AUTHZ_DATA field
> > > > > > similarly!
> > > > > > > After you get authz data, it's up to you to decode it,
say 
> > > > > > > using Kerby library to decode the ASN1 object and extract

> > > > > > > any info in it like the
> > > > > > token.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Kai
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Li, Jiajia [mailto:jiajia.li@intel.com<mailto:
> > > > jiajia.li@intel.com><mailto:
> > > > > jiajia.li@intel.com<mailto:jiajia.li@intel.com>>]
> > > > > > > Sent: Thursday, June 16, 2016 7:50 PM
> > > > > > > To:
> > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.o
> > > > > > > rg
> > > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > > >or
> > > > >g>>;
> > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > > coheigea@apache.org<mailto:coheigea@apache.org>>
> > > > > > > Subject: RE: JWT pre-authentication - get JWT token on

> > > > > > > service side
> > > > > > >
> > > > > > > Hi Colm,
> > > > > > >
> > > > > > > For the first question: I think now the token has not been

> > > > > > > put into the issued service ticket as authorization data.
> > > > > > > You can look at issueTicket()#TgsRequest.java in server

> > > > > > > side
> for detail.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Jiajia
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > > coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > > Sent: Thursday, June 16, 2016 7:19 PM
> > > > > > > To:
> > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.o
> > > > > > > rg
> > > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > > >or
> > > > >g>>
> > > > > > > Subject: Re: JWT pre-authentication - get JWT token on

> > > > > > > service side
> > > > > > >
> > > > > > > Thanks Kai. A few questions below.
> > > > > > >
> > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai 
> > > > > > > <kai.zheng@intel.com
> > > > <mailto:kai.zheng@intel.com>
> > > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > > > > wrote:
> > > > > > >
> > > > > > > >
> > > > > > > > 1. For issuing service ticket, the token used to do
the 
> > > > > > > > authentication or a token derivation was put into
the 
> > > > > > > > issued service ticket as authorization data. I'm not

> > > > > > > > sure in current Kerby impl, it has done this or not.
If 
> > > > > > > > not, it should be not difficult to support it, 
> > > > > > > > considering we have some Kerby
> > > > > authorization support now.
> > > > > > > >
> > > > > > >
> > > > > > > I can take a look at this. Can you give me some pointers

> > > > > > > in the code so that I know where to start?
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > 2. In application server side, it should be able to

> > > > > > > > query and extract out the token encapsulated in the

> > > > > > > > authorization data field in the service ticket. This

> > > > > > > > should be doable now, because a proposal from me quite

> > > > > > > > some ago had already been accepted by Oracle Java,
as 
> > > > > > > > recorded in the following ticket, though I hadn't
got 
> > > > > > > > the chance to verify it using latest JDK update like
> > > > JDK8.
> > > > > > > >
> > > > > > > > JDK-8044085, our extension proposal accepted and committed:
> > > > > > > > allowing querying authorization data field of service
ticket.
> > > > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > > > > > >
> > > > > > >
> > > > > > > The JDK service ticket only refers to SASL. If I'm just

> > > > > > > using GSS on the service side, is it already supported?
If 
> > > > > > > so, how can I
> > > > extract it?
> > > > > > >
> > > > > > > Colm.
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > So in summary, if you want to try this, I would suggest

> > > > > > > > please go ahead since it's doable now. Please let
me 
> > > > > > > > know if you have other
> > > > > > > questions.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Kai
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org
> <mailto:
> > > > coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > > > > > To:
> > > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache
> > > > > > > > .o
> > > > > > > > rg
> > > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.
> > > > >or
> > > > >g>>
> > > > > > > > Subject: JWT pre-authentication - get JWT token on

> > > > > > > > service side
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > For the JWT pre-authentication use-case, how can I
get 
> > > > > > > > access to the token information on the service side?
> > > > > > > >
> > > > > > > > From the documentation: "The service authenticates
the 
> > > > > > > > ticket, extracts the token derivation, then enforce
any 
> > > > > > > > advanced authorization by employing the token derivation

> > > > > > > > and token
> > > > attributes"
> > > > > > > >
> > > > > > > > Is there an example in the code to look at?
> > > > > > > >
> > > > > > > > Colm.
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Colm O hEigeartaigh
> > > > > > > >
> > > > > > > > Talend Community Coder
> > > > > > > > http://coders.talend.com
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Colm O hEigeartaigh
> > > > > > >
> > > > > > > Talend Community Coder
> > > > > > > http://coders.talend.com
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Colm O hEigeartaigh
> > > > > >
> > > > > > Talend Community Coder
> > > > > > http://coders.talend.com
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message