directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: JWT pre-authentication - get JWT token on service side
Date Wed, 06 Jul 2016 16:06:10 GMT
Sorry Colm, for the late replying.

I thought identity token not only can do the authentication for the client instead of user password, but also can do the similar thing or even more than access token. It can also carry some useful attributes and the attributes should also be able to pass down to app server side for the similar thing. However, I haven't checked the existing codes yet and not sure we did all the thing to make it work that way. For example, when the identity token is used to issue a tgt, does a token derivation of the useful attributes generated and put into the issued tgt? When the tgt is used to issue a service ticket, does the token derivation be put into the issued service tgt? With such, you should be able to make the use case work via identity token, instead of access token, for the work around.

Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Tuesday, July 05, 2016 9:56 PM
To: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side

Thanks Kai! A final question (I hope) on the identity token use-case. Is the sole point of the signed JWT token here just to authenticate the client? In other words, the attributes defined in the JWT token are not really used (for the identity case)? I guess the KDC could interpret them in some way, although I'm not really sure what the use-case could be right now. I see a stronger use-case for the access token case, where we can insert authorization data that the service can interpret.

Colm.

On Mon, Jul 4, 2016 at 4:36 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> The armor TGT is exactly used to provide a key to encrypt the token to 
> protect it from being stolen. You can obtain an armor TGT via 
> anonymous pkinit mechanism, right? You may wonder why it would use the 
> armor ticket for the encryption key, please think about otherwise how 
> to equip clients and the kdc server with a shared but also secure key? 
> Armor mechanism is defined in Kerberos preauth related spec where the 
> FAST and armored channel is defined.
>
> Regards,
> Kai
>
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Monday, July 04, 2016 11:26 PM
> To: Zheng, Kai <kai.zheng@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
>
> On Mon, Jul 4, 2016 at 4:01 PM, Zheng, Kai <kai.zheng@intel.com<mailto:
> kai.zheng@intel.com>> wrote:
> Regarding how to place the login module, I thought of putting it in 
> kerb-client module in a separate package like 'jaas', would be good to 
> do it because it sounds some useful now. We may have more such modules 
> when more authentication mechanisms out to be supported in future. We 
> often draft some codes in tests initially, when it looks good then we 
> promote it to some better place.
>
> +1 to moving the TokenAuth login module to kerb-client
>
>
> About supporting 'access' token in your case, I agree having some way 
> to come up the initator GSS token out wrapping the service ticket to 
> send out would be ideal and natural. That's why we're working on kerby 
> based GSS support. Currently most of the work are done in the gssapi 
> branch contributed by Wei Zhou, but I have never got the chance to 
> play around with it and verify it works or not. Currently our guys are 
> pretty busy with other takings, and will be back to such tasks probably in a month or so.
>
> Ok great, I can revisit the access token case at some stage in the 
> future when the GSS support is there. With regards to the "identity" 
> token case, the final thing I don't understand is the need to get an 
> initial armor TGT before getting a TGT using the Token. Is the sole 
> reason to prevent token leakage between the client and KDC? If so 
> wouldn't it suffice if the JWT token was encrypted?
> Thanks again,
>
> Colm.
>
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> Sent: Monday, July 04, 2016 7:52 PM
> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Cc: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> Subject: Re: JWT pre-authentication - get JWT token on service side 
> Thanks Jiajia, it's working well now. With regards to the LoginModule, 
> I made some changes to fix some NPEs. I also changed the logic 
> slightly, so that if the signing key is not specified, it just reads 
> in the token from the cache and writes it out "as is". If the token 
> was issued by say an OpenId Connect service, the client shouldn't be 
> signing it again. Perhaps the logic could be rewritten a bit, I'm open 
> to any ideas. Two questions on the LoginModule itself:
>
> a) Perhaps the LoginModule should be moved from the "integration-test"
> module? Or at least rename the module to something like 
> "token-integration".
> b) The LoginModule itself is not adding the KerberosPrincipal to the 
> Subject, I think it should do this rather than have the test code add 
> the Subject before the LoginModule is invoked.
>
> Getting back to the use-case itself, I think the main scenario of 
> interest is where the JWT Token is the "access" rather than "identity" 
> case. So the client gets a token from an OpenId Connect authorization 
> service targetted at a kerberized service. The client must then get a 
> token for the service using the JWT token, etc.
>
> Using the LoginModule + GSS approach as above works well for the "identity"
> case, where we're using the JWT token to get a TGT. But how can it 
> work for the case of using the JWT to get a Service ticket? With the 
> first approach we're using the GSS API to get the service ticket, and 
> I'm not sure if it's possible to change this to specify the JWT token somehow?
>
> Colm.
>
>
>
> On Mon, Jul 4, 2016 at 7:41 AM, Li, Jiajia <jiajia.li@intel.com<mailto:
> jiajia.li@intel.com>> wrote:
>
> > I think this commit can fix the issue:
> >
> >
> > https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=comm
> > it
> > ;h=358340dd2a60a36a69988f1dd7c509cf585acdc8
> >
> > @Colm, can you check it?
> >
> > Thanks
> > Jiajia
> >
> > -----Original Message-----
> > From: Li, Jiajia 
> >[mailto:jiajia.li@intel.com<mailto:jiajia.li@intel.com
> >]
> > Sent: Monday, July 4, 2016 12:07 PM
> > To: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>;
> kerby@directory.apache.org<mailto:kerby@directory.apache.org>;
> > coheigea@apache.org<mailto:coheigea@apache.org>
> > Subject: RE: JWT pre-authentication - get JWT token on service side
> >
> > Hi Colm,
> >
> > As Kai said, it's  a bug in new module.
> >
> > >>However, if I look at the existing TokenAuthLoginModule, it just 
> > >>adds
> > the credential via:
> > >>subject.getPublicCredentials().add(krbToken);
> > >> It looks like GSS needs the TGT to be encoded in the Subject somehow?
> >
> > Yes, in the TokenAuthLoginModule, some credentials should be added 
> > to subject private credentials.
> > I will take some time to fix it.
> >
> > Regards,
> > Jiajia
> >
> > -----Original Message-----
> > From: Zheng, Kai
> > Sent: Saturday, July 2, 2016 6:31 AM
> > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>;
> coheigea@apache.org<mailto:coheigea@apache.org>; Li, Jiajia <
> > jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > Subject: RE: JWT pre-authentication - get JWT token on service side
> >
> > Hi Colm,
> >
> > I didn't check the codes yet, but generally the module should do the 
> > similar thing as Krb5LoginModule in the post process of login. You 
> > seemed to find a bug in the new module.
> >
> > @Jiajia, would you have some comments? Thanks.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> > Sent: Friday, July 01, 2016 7:09 PM
> > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Hi Kai,
> >
> > Thanks for your reply. Ok writing a JAAS LoginModule that wraps the 
> > Kerby API is fine with me. However, if I look at the existing 
> > TokenAuthLoginModule, it just adds the credential via:
> >
> > subject.getPublicCredentials().add(krbToken);
> >
> > It looks like GSS needs the TGT to be encoded in the Subject somehow?
> > Please look at the following @Ignore'd test. I'm getting the Subject 
> > using the TokenAuthLoginModule and then attempting to get a service 
> > ticket using the GSS API and the Subject. It fails with "Caused by:
> > org.ietf.jgss.GSSException: No valid credentials provided (Mechanism
> level:
> > Failed to find any Kerberos tgt)":
> >
> >
> > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=co
> > mm
> > it;h=68933ae0
> >
> > Colm.
> >
> >
> > On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai <kai.zheng@intel.com<mailto:
> kai.zheng@intel.com>> wrote:
> >
> > > Sorry for the late. Just got a chance looking at the codes closely.
> > >
> > > I thought it's clearly right in the following test, where it 
> > > logins first via jaas, then get tgt, then sgt, and then at last 
> > > you wrap the sgt in a gss token. It got the gss token (roughly a 
> > > AppReq (of
> > > sgt) in a token
> > > wrapper) and then let it be validated against a server key.
> > >
> > >     @Test
> > >     public void testGss() throws Exception {
> > >         Subject clientSubject = loginClientUsingTicketCache();
> > >         Set<Principal> clientPrincipals =
> clientSubject.getPrincipals();
> > >         Assert.assertFalse(clientPrincipals.isEmpty());
> > >
> > >         // Get the TGT
> > >         Set<KerberosTicket> privateCredentials =
> > >
> >  clientSubject.getPrivateCredentials(KerberosTicket.class);
> > >         Assert.assertFalse(privateCredentials.isEmpty());
> > >         KerberosTicket tgt = privateCredentials.iterator().next();
> > >         Assert.assertNotNull(tgt);
> > >
> > >         // Get the service ticket
> > >         KerberosClientExceptionAction action =
> > >                 new
> > > KerberosClientExceptionAction(clientPrincipals.iterator().next(),
> > >                         getServerPrincipal());
> > >
> > >         byte[] kerberosToken = (byte[]) 
> > > Subject.doAs(clientSubject, action);
> > >         Assert.assertNotNull(kerberosToken);
> > >
> > >         validateServiceTicket(kerberosToken);
> > >     }
> > >
> > > I don't think it's right here. The point is the bytes to validate 
> > > at the last step shouldn’t be the sgt directly, instead, it should 
> > > be a gss token of AppReq of the sgt. But you might ask how to 
> > > generate the gss token? I don't have better idea than the way used 
> > > in the above test method, that's to say, better to use GSSAPI 
> > > layer in JRE directly, since the Kerby one hasn't been ready yet.
> > >
> > > But how you proceed in the way as above? As you told in previous 
> > > emails, you don’t want to use jaas login modules, but rather use 
> > > the Kerby client api directly. I would suggest you still go 
> > > starting with jaas, doing everything you want in a jaas login 
> > > module (like calling kerby client api) and obtain a valid logined 
> > > subject or security context, and then do the left as you did in 
> > > the above test method. It should be able to work, like we did or 
> > > will do in the token
> login module.
> > >
> > >     @Test
> > >     @org.junit.Ignore
> > >     public void testKerbyClientAndGssService() throws Exception {
> > >         KrbClient client = getKrbClient();
> > >         client.init();
> > >
> > >         try {
> > >             // Get a service ticket using Kerby APIs
> > >             TgtTicket tgt = 
> > > client.requestTgt(getClientPrincipal(),
> > > getClientPassword());
> > >             Assert.assertTrue(tgt != null);
> > >
> > >             SgtTicket tkt = client.requestSgt(tgt,
> getServerPrincipal());
> > >             Assert.assertTrue(tkt != null);
> > >
> > >             Credential credential = new Credential(tkt, 
> > > tgt.getClientPrincipal());
> > >             CredentialCache cCache = new CredentialCache();
> > >             cCache.addCredential(credential);
> > >             cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
> > >
> > >             ByteArrayOutputStream bout = new ByteArrayOutputStream();
> > >             CredCacheOutputStream os = new CredCacheOutputStream(bout);
> > >             cCache.store(bout);
> > >             os.close();
> > >
> > >             // Now validate the ticket using GSS
> > >             validateServiceTicket(bout.toByteArray());
> > >         } catch (Exception e) {
> > >             e.printStackTrace();
> > >             Assert.fail();
> > >         }
> > >     }
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> > > Sent: Wednesday, June 29, 2016 4:37 PM
> > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > side
> > >
> > > Sure, no rush :-)
> > >
> > > Colm.
> > >
> > > On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <kai.zheng@intel.com
> <mailto:kai.zheng@intel.com>> wrote:
> > >
> > > > Hi Colm, I will look at this late of today. Hope it works for you.
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> > > > Sent: Tuesday, June 28, 2016 10:00 PM
> > > > To: 
> > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > side
> > > >
> > > > Hi Kai,
> > > >
> > > > Could you take a look at the @Ignore'd test-case I just committed:
> > > >
> > > >
> > > > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;
> > > > a=
> > > > bl
> > > > ob
> > > > diff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/k
> > > > er
> > > > be
> > > > ro
> > > > s/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd98542
> > > > a4
> > > > d5
> > > > 01
> > > > 1e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d;h
> > > > pb
> > > > =7
> > > > 9d
> > > > 4a584129026bcf920dd1ae5c28c27c6971412
> > > >
> > > > It gets a SgtTicket using Kerby and tries to get the resulting 
> > > > service token in byte array form to validate with GSS. Running 
> > > > the
> > test leads to:
> > > >
> > > > Caused by: GSSException: Defective token detected (Mechanism level:
> > > > GSSHeader did not find the right tag)
> > > >
> > > > I get the same error if I just do "sgtTicket.getTicket().encode()".
> > > >
> > > > Colm.
> > > >
> > > > On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai <kai.zheng@intel.com
> <mailto:kai.zheng@intel.com>>
> > wrote:
> > > >
> > > > > I’m just back from my sleep. ☺
> > > > >
> > > > > Regarding how to get the service ticket from SgtTicket object 
> > > > > in bytes, probably you do sgtTicket.getTicket().encode(). If 
> > > > > it doesn’t work, please reference the codes in 
> > > > > CredCacheOutputStream.java to see how it store a ticket in a file.
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> > > > > Sent: Thursday, June 23, 2016 11:25 PM
> > > > > To: Zheng, Kai 
> > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > > > Cc: 
> > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > > side
> > > > >
> > > > >
> > > > > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai 
> > > > > <kai.zheng@intel.com
> <mailto:kai.zheng@intel.com>
> > > <mailto:
> <mailto:%0b>> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> wrote:
> > > > > I see. Why you want to validate it using GSS on the client side?
> > > > > Because the client gets it and then should just trust it, right?
> > > > > To validate a service ticket needs the service key or keytab, 
> > > > > which is why I thought it could be on the server side.
> > > > >
> > > > > Just to test that it works! See the unit test called "unitGSSTest"
> > > here:
> > > > >
> > > > >
> > > > > https://github.com/coheigea/testcases/blob/master/apache/cxf/c
> > > > > xf
> > > > > -k
> > > > > er
> > > > > be
> > > > > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/authe
> > > > > nt
> > > > > ic
> > > > > at
> > > > > io
> > > > > n/AuthenticationTest.java
> > > > > Using the GSS API I do:
> > > > >
> > > > > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); ...
> > > > > validateServiceTicket(ticket);
> > > > >
> > > > >
> > > > > I got your scenario. Are you able to obtain the service ticket 
> > > > > or
> > not?
> > > > You
> > > > > seem to because you said you can use a JWT token for that. But 
> > > > > then you asked how to access the service ticket on the client 
> > > > > side using the Kerby API. Did you have the SgtTicket in hand? 
> > > > > If yes, I thought then you can extract something from it to 
> > > > > put into the SOAP
> > header.
> > > > > Could you point to the relevant spec about that? I may then 
> > > > > have
> > > concrete idea to help.
> > > > >
> > > > > Yes I have the SgtTicket in hand. Now I want to extract the 
> > > > > service
> > > > ticket
> > > > > from this class as an array of bytes, similar to what I get 
> > > > > above from Subject.doAs using the GSS API. I know how to put 
> > > > > the Kerberos token in
> > > > the
> > > > > SOAP header, my question is how to get it from SgtTicket in 
> > > > > the first
> > > > place
> > > > > :-)
> > > > > Thanks again for your help,
> > > > >
> > > > > Colm.
> > > > >
> > > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > Sent: Thursday, June 23, 2016 9:40 PM
> > > > > To:
> > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> >>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service 
> > > > > side
> > > > >
> > > > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai 
> > > > > <kai.zheng@intel.com
> <mailto:kai.zheng@intel.com>
> > > <mailto:
> <mailto:%0b>> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> wrote:
> > > > >
> > > > > >
> > > > > > >> How do I extract the token from SgtTicket that I can 
> > > > > > >> validate using
> > > > > GSS?
> > > > > > Sorry, but where do you want to do this? App client side or 
> > > > > > server
> > > > side?
> > > > > > If on server side, I thought you have already made it, as 
> > > > > > your previous email notified, being able to query/extract 
> > > > > > the authorization data and get token from it. Would you 
> > > > > > clarify some
> > bit?
> > > > > >
> > > > >
> > > > > On the client side. So what I want to do is use the Kerby API 
> > > > > to get a service ticket (using a JWT token) and then extract 
> > > > > the ticket from the
> > > > KDC
> > > > > response + validate it using GSS. For example, for SOAP web 
> > > > > services, the service ticket is inserted into the SOAP header 
> > > > > of the web services call
> > > > in
> > > > > BASE-64 format. So the question is, how can I get access to 
> > > > > the service ticket on the client side using the Kerby API?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Colm.
> > > > >
> > > > >
> > > > > >
> > > > > > Regards,
> > > > > > Kai
> > > > > >
> > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > Sent: Thursday, June 23, 2016 7:59 PM
> > > > > > To: Zheng, Kai
> > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > > > > Cc:
> > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> >>
> > > > > > Subject: Re: JWT pre-authentication - get JWT token on 
> > > > > > service side
> > > > > >
> > > > > > Hi Kai,
> > > > > >
> > > > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai 
> > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > <mailto:
> <mailto:%0b>> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com
> >><mailto:
> > > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>> wrote:
> > > > > >
> > > > > > Great question. Here what you need would be a login module 
> > > > > > using token, and the module will send the token to KDC for a 
> > > > > > TGT to get a SGT that's to be used in a GSS session. We have 
> > > > > > already the module, please look at TokenAuthLoginModule.
> > > > > >
> > > > > > From what I can see, the TokenAuthLoginModule just gets the 
> > > > > > TGT and not the SGT. However, I can get the service ticket 
> > > > > > easily enough via the Kerby API from this. How do I extract 
> > > > > > the token from SgtTicket that I can validate using GSS?
> > > > > >
> > > > > >
> > > > > > Regards,
> > > > > > Kai
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > Sent: Wednesday, June 22, 2016 9:36 PM
> > > > > > To:
> > > > > >kerby@directory.apache.org<mailto:kerby@directory.apache.org
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > > ><mailto:kerby@directory.apache.org<mailto:
> kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> kerby@directory.apache>.
> > > > > >or
> > > > > >g>>
> > > > > > Subject: Re: JWT pre-authentication - get JWT token on 
> > > > > >service side
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > Some more questions on this task:
> > > > > >
> > > > > > 1) Kai, you mentioned the AuthzToken type. Is this defined 
> > > > > > somewhere so that I can add it in to the AuthorizationType class?
> > > > > >
> > > > > > 2) Currently, the TokenIssuer class asks the IdentityService 
> > > > > > for the authorization data. However, the IdentityService 
> > > > > > doesn't have access to the token. Is it reasonable default 
> > > > > > behaviour to insert the received token in the TokenIssuer as 
> > > > > > the authorization data, and if none exists fall back to ask 
> > > > > > the IdentityService for any authorization
> > > > > data?
> > > > > >
> > > > > > 3) I can extract the token on the service side using the GSS 
> > > > > > API in the way suggested by Kai. However, how can I send the 
> > > > > > token to the KDC on the client side using GSS?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Colm.
> > > > > >
> > > > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai 
> > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > <mailto:
> <mailto:%0b>> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com
> >><mailto:
> > > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>> wrote:
> > > > > >
> > > > > > > It's not a bug. It works that way, the temp value will be 
> > > > > > > there only after you have decode/decrypt the part.
> > > > > > >
> > > > > > > Note SGT is used/consumed in app server side, and can be 
> > > > > > > decrypted using the server ticket/key. I suggest you try 
> > > > > > > this in the GssAppTest codes using the example code I 
> > > > > > > provided in my last email, where you should be able to 
> > > > > > > query/extract the authorization data. If you put the token 
> > > > > > > in the authorization data, then after decoding it, you 
> > > > > > > could
> extract token from it.
> > > > > > > I remembered we had defined the AuthzToken type for this 
> > > > > > > actually
> > > but guess it's not used yet.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Kai
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > > Sent: Friday, June 17, 2016 7:21 PM
> > > > > > > To:
> > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.o
> > > > > > > rg
> ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > > ><mailto:kerby@directory.apache.org<mailto:
> kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> kerby@directory.apache>.
> > > > > >or
> > > > > >g>>
> > > > > > > Subject: Re: JWT pre-authentication - get JWT token on 
> > > > > > > service side
> > > > > > >
> > > > > > > Thanks Kai and Jiajia!
> > > > > > >
> > > > > > > I'm trying to get access to the authorization data using 
> > > > > > > the Kerby API after getting a service ticket:
> > > > > > >
> > > > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, 
> > > > > > > serverPrinc, cCacheFile.getPath());
> > > > > > >
> > > > > > > However the following is null:
> > > > > > >
> > > > > > > tkt.getTicket().getEncPart()
> > > > > > >
> > > > > > > Is this a bug or how else can I parse the ticket to get 
> > > > > > > the authorization data?
> > > > > > >
> > > > > > > Colm.
> > > > > > >
> > > > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai 
> > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>><mailto:
> <mailto:%0b>> > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com
> ><mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>> wrote:
> > > > > > >
> > > > > > > > Thanks Jiajia for the first question!
> > > > > > > >
> > > > > > > > For the second one, since you're using GSS the even 
> > > > > > > > lower level, which is more fine, and should be totally doable. Ref.
> > > > > > > > the following
> > > > > > doc:
> > > > > > > >
> > > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/j
> > > > > > > > gs s/ sp ec/c om /s 
> > > > > > > > un/security/jgss/ExtendedGSSContext.html
> > > > > > > >
> > > > > > > >       GSSContext ctxt = m.createContext(...)
> > > > > > > >       // Establishing the context
> > > > > > > >       if (ctxt instanceof ExtendedGSSContext) {
> > > > > > > >           ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
> > > > > > > >           try {
> > > > > > > >               Key key = (key)ex.inquireSecContext(
> > > > > > > >                       InquireType.KRB5_GET_SESSION_KEY);
> > > > > > > >               // read key info
> > > > > > > >           } catch (GSSException gsse) {
> > > > > > > >               // deal with exception
> > > > > > > >           }
> > > > > > > >       }
> > > > > > > >
> > > > > > > > As you can see after established the GSS context, you 
> > > > > > > > can query the SESSION_KEY from the layer. You can also 
> > > > > > > > query AUTHZ_DATA field
> > > > > > > similarly!
> > > > > > > > After you get authz data, it's up to you to decode it, 
> > > > > > > > say using Kerby library to decode the ASN1 object and 
> > > > > > > > extract any info in it like the
> > > > > > > token.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Kai
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Li, Jiajia [mailto:jiajia.li@intel.com<mailto:
> jiajia.li@intel.com><mailto:
> > > > > jiajia.li@intel.com<mailto:jiajia.li@intel.com>><mailto:
> > > > > > jiajia.li@intel.com<mailto:jiajia.li@intel.com><mailto:
> jiajia.li@intel.com<mailto:jiajia.li@intel.com>>>]
> > > > > > > > Sent: Thursday, June 16, 2016 7:50 PM
> > > > > > > > To:
> > > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache
> > > > > > > > .org
> ><mailto:kerby@directory.apache.o<mailto:kerby@directory.apache.o>
> > > > > > > > rg
> > > > > ><mailto:kerby@directory.apache.org<mailto:
> kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> kerby@directory.apache>.
> > > > > >or
> > > > > >g>>;
> > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>>
> > > > > > > > Subject: RE: JWT pre-authentication - get JWT token on 
> > > > > > > > service side
> > > > > > > >
> > > > > > > > Hi Colm,
> > > > > > > >
> > > > > > > > For the first question: I think now the token has not 
> > > > > > > > been put into the issued service ticket as authorization data.
> > > > > > > > You can look at issueTicket()#TgsRequest.java in server 
> > > > > > > > side
> > for detail.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Jiajia
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org
> <mailto:coheigea@apache.org><mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > > > Sent: Thursday, June 16, 2016 7:19 PM
> > > > > > > > To:
> > > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache
> > > > > > > > .org
> ><mailto:kerby@directory.apache.o<mailto:kerby@directory.apache.o>
> > > > > > > > rg
> > > > > ><mailto:kerby@directory.apache.org<mailto:
> kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> kerby@directory.apache>.
> > > > > >or
> > > > > >g>>
> > > > > > > > Subject: Re: JWT pre-authentication - get JWT token on 
> > > > > > > > service side
> > > > > > > >
> > > > > > > > Thanks Kai. A few questions below.
> > > > > > > >
> > > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai 
> > > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > >
> > > > > > > > > 1. For issuing service ticket, the token used to do 
> > > > > > > > > the authentication or a token derivation was put into 
> > > > > > > > > the issued service ticket as authorization data. I'm 
> > > > > > > > > not sure in current Kerby impl, it has done this or 
> > > > > > > > > not. If not, it should be not difficult to support it, 
> > > > > > > > > considering we have some Kerby
> > > > > > authorization support now.
> > > > > > > > >
> > > > > > > >
> > > > > > > > I can take a look at this. Can you give me some pointers 
> > > > > > > > in the code so that I know where to start?
> > > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > 2. In application server side, it should be able to 
> > > > > > > > > query and extract out the token encapsulated in the 
> > > > > > > > > authorization data field in the service ticket. This 
> > > > > > > > > should be doable now, because a proposal from me quite 
> > > > > > > > > some ago had already been accepted by Oracle Java, as 
> > > > > > > > > recorded in the following ticket, though I hadn't got 
> > > > > > > > > the chance to verify it using latest JDK update like
> > > > > JDK8.
> > > > > > > > >
> > > > > > > > > JDK-8044085, our extension proposal accepted and committed:
> > > > > > > > > allowing querying authorization data field of service
> ticket.
> > > > > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > > > > > > >
> > > > > > > >
> > > > > > > > The JDK service ticket only refers to SASL. If I'm just 
> > > > > > > > using GSS on the service side, is it already supported? 
> > > > > > > > If so, how can I
> > > > > extract it?
> > > > > > > >
> > > > > > > > Colm.
> > > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > So in summary, if you want to try this, I would 
> > > > > > > > > suggest please go ahead since it's doable now. Please 
> > > > > > > > > let me know if you have other
> > > > > > > > questions.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Kai
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org
> <mailto:coheigea@apache.org>
> > <mailto:
> > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > > > > > > To:
> > > > > > > > > kerby@directory.apache.org<mailto:
> kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> kerby@directory.apache>
> > > > > > > > > .o
> > > > > > > > > rg
> > > > > ><mailto:kerby@directory.apache.org<mailto:
> kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> kerby@directory.apache>.
> > > > > >or
> > > > > >g>>
> > > > > > > > > Subject: JWT pre-authentication - get JWT token on 
> > > > > > > > > service side
> > > > > > > > >
> > > > > > > > > Hi all,
> > > > > > > > >
> > > > > > > > > For the JWT pre-authentication use-case, how can I get 
> > > > > > > > > access to the token information on the service side?
> > > > > > > > >
> > > > > > > > > From the documentation: "The service authenticates the 
> > > > > > > > > ticket, extracts the token derivation, then enforce 
> > > > > > > > > any advanced authorization by employing the token 
> > > > > > > > > derivation and token
> > > > > attributes"
> > > > > > > > >
> > > > > > > > > Is there an example in the code to look at?
> > > > > > > > >
> > > > > > > > > Colm.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Colm O hEigeartaigh
> > > > > > > > >
> > > > > > > > > Talend Community Coder http://coders.talend.com
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Colm O hEigeartaigh
> > > > > > > >
> > > > > > > > Talend Community Coder
> > > > > > > > http://coders.talend.com
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Colm O hEigeartaigh
> > > > > > >
> > > > > > > Talend Community Coder
> > > > > > > http://coders.talend.com
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Colm O hEigeartaigh
> > > > > >
> > > > > > Talend Community Coder
> > > > > > http://coders.talend.com
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Colm O hEigeartaigh
> > > > > >
> > > > > > Talend Community Coder
> > > > > > http://coders.talend.com
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message