directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: JWT pre-authentication - get JWT token on service side
Date Mon, 18 Jul 2016 11:15:12 GMT
Hi Kai,

I'm not convinced that the authorization data should be copied from TGT to
Service Ticket. For example, the JWT token could contain some roles
targeted at the KDC (via the audience of the token). Adding this data to
service tickets would mean that the roles only intended for the KDC could
now be applied to services etc.

Colm.



On Thu, Jul 14, 2016 at 11:27 PM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Hi Colm,
>
> Sorry for the very late response. I'm just back from a travel. My answers
> to your questions are yes, and it's great if we could make it all work
> seamlessly!
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, July 08, 2016 5:16 PM
> To: kerby@directory.apache.org
> Subject: Re: JWT pre-authentication - get JWT token on service side
>
> Hi Kai,
>
> > For example, when the identity token is used to issue a tgt, does a
> > token
> derivation of the useful attributes generated and put into the issued tgt?
>
> By putting the token derivation into the issued TGT, are you referring to
> inserting it into the authorization data (as for the access token case)? If
> so, then not yet, but I have some code locally that should work that I will
> submit shortly.
>
> > When the tgt is used to issue a service ticket, does the token
> > derivation
> be put into the issued service tgt?
>
> Right now, no. Should we copy the authorization data of the TGT into the
> service ticket?
>
> Colm.
>
> On Wed, Jul 6, 2016 at 5:06 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Sorry Colm, for the late replying.
> >
> > I thought identity token not only can do the authentication for the
> > client instead of user password, but also can do the similar thing or
> > even more than access token. It can also carry some useful attributes
> > and the attributes should also be able to pass down to app server side
> > for the similar thing. However, I haven't checked the existing codes
> > yet and not sure we did all the thing to make it work that way. For
> > example, when the identity token is used to issue a tgt, does a token
> > derivation of the useful attributes generated and put into the issued
> > tgt? When the tgt is used to issue a service ticket, does the token
> > derivation be put into the issued service tgt? With such, you should
> > be able to make the use case work via identity token, instead of access
> token, for the work around.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Tuesday, July 05, 2016 9:56 PM
> > To: kerby@directory.apache.org
> > Subject: Re: JWT pre-authentication - get JWT token on service side
> >
> > Thanks Kai! A final question (I hope) on the identity token use-case.
> > Is the sole point of the signed JWT token here just to authenticate
> > the client? In other words, the attributes defined in the JWT token
> > are not really used (for the identity case)? I guess the KDC could
> > interpret them in some way, although I'm not really sure what the
> > use-case could be right now. I see a stronger use-case for the access
> > token case, where we can insert authorization data that the service can
> interpret.
> >
> > Colm.
> >
> > On Mon, Jul 4, 2016 at 4:36 PM, Zheng, Kai <kai.zheng@intel.com> wrote:
> >
> > > The armor TGT is exactly used to provide a key to encrypt the token
> > > to protect it from being stolen. You can obtain an armor TGT via
> > > anonymous pkinit mechanism, right? You may wonder why it would use
> > > the armor ticket for the encryption key, please think about
> > > otherwise how to equip clients and the kdc server with a shared but
> also secure key?
> > > Armor mechanism is defined in Kerberos preauth related spec where
> > > the FAST and armored channel is defined.
> > >
> > > Regards,
> > > Kai
> > >
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: Monday, July 04, 2016 11:26 PM
> > > To: Zheng, Kai <kai.zheng@intel.com>
> > > Cc: kerby@directory.apache.org
> > > Subject: Re: JWT pre-authentication - get JWT token on service side
> > >
> > >
> > > On Mon, Jul 4, 2016 at 4:01 PM, Zheng, Kai <kai.zheng@intel.com
> <mailto:
> > > kai.zheng@intel.com>> wrote:
> > > Regarding how to place the login module, I thought of putting it in
> > > kerb-client module in a separate package like 'jaas', would be good
> > > to do it because it sounds some useful now. We may have more such
> > > modules when more authentication mechanisms out to be supported in
> > > future. We often draft some codes in tests initially, when it looks
> > > good then we promote it to some better place.
> > >
> > > +1 to moving the TokenAuth login module to kerb-client
> > >
> > >
> > > About supporting 'access' token in your case, I agree having some
> > > way to come up the initator GSS token out wrapping the service
> > > ticket to send out would be ideal and natural. That's why we're
> > > working on kerby based GSS support. Currently most of the work are
> > > done in the gssapi branch contributed by Wei Zhou, but I have never
> > > got the chance to play around with it and verify it works or not.
> > > Currently our guys are pretty busy with other takings, and will be
> > > back to such tasks probably
> > in a month or so.
> > >
> > > Ok great, I can revisit the access token case at some stage in the
> > > future when the GSS support is there. With regards to the "identity"
> > > token case, the final thing I don't understand is the need to get an
> > > initial armor TGT before getting a TGT using the Token. Is the sole
> > > reason to prevent token leakage between the client and KDC? If so
> > > wouldn't it suffice if the JWT token was encrypted?
> > > Thanks again,
> > >
> > > Colm.
> > >
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org>]
> > > Sent: Monday, July 04, 2016 7:52 PM
> > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > Cc: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > Subject: Re: JWT pre-authentication - get JWT token on service side
> > > Thanks Jiajia, it's working well now. With regards to the
> > > LoginModule, I made some changes to fix some NPEs. I also changed
> > > the logic slightly, so that if the signing key is not specified, it
> > > just reads in the token from the cache and writes it out "as is". If
> > > the token was issued by say an OpenId Connect service, the client
> > > shouldn't be signing it again. Perhaps the logic could be rewritten
> > > a bit, I'm open to any ideas. Two questions on the LoginModule itself:
> > >
> > > a) Perhaps the LoginModule should be moved from the "integration-test"
> > > module? Or at least rename the module to something like
> > > "token-integration".
> > > b) The LoginModule itself is not adding the KerberosPrincipal to the
> > > Subject, I think it should do this rather than have the test code
> > > add the Subject before the LoginModule is invoked.
> > >
> > > Getting back to the use-case itself, I think the main scenario of
> > > interest is where the JWT Token is the "access" rather than "identity"
> > > case. So the client gets a token from an OpenId Connect
> > > authorization service targetted at a kerberized service. The client
> > > must then get a token for the service using the JWT token, etc.
> > >
> > > Using the LoginModule + GSS approach as above works well for the
> > "identity"
> > > case, where we're using the JWT token to get a TGT. But how can it
> > > work for the case of using the JWT to get a Service ticket? With the
> > > first approach we're using the GSS API to get the service ticket,
> > > and I'm not sure if it's possible to change this to specify the JWT
> > > token
> > somehow?
> > >
> > > Colm.
> > >
> > >
> > >
> > > On Mon, Jul 4, 2016 at 7:41 AM, Li, Jiajia <jiajia.li@intel.com
> <mailto:
> > > jiajia.li@intel.com>> wrote:
> > >
> > > > I think this commit can fix the issue:
> > > >
> > > >
> > > > https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=co
> > > > mm
> > > > it
> > > > ;h=358340dd2a60a36a69988f1dd7c509cf585acdc8
> > > >
> > > > @Colm, can you check it?
> > > >
> > > > Thanks
> > > > Jiajia
> > > >
> > > > -----Original Message-----
> > > > From: Li, Jiajia
> > > >[mailto:jiajia.li@intel.com<mailto:jiajia.li@intel.com
> > > >]
> > > > Sent: Monday, July 4, 2016 12:07 PM
> > > > To: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>;
> > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>;
> > > > coheigea@apache.org<mailto:coheigea@apache.org>
> > > > Subject: RE: JWT pre-authentication - get JWT token on service
> > > > side
> > > >
> > > > Hi Colm,
> > > >
> > > > As Kai said, it's  a bug in new module.
> > > >
> > > > >>However, if I look at the existing TokenAuthLoginModule, it just
> > > > >>adds
> > > > the credential via:
> > > > >>subject.getPublicCredentials().add(krbToken);
> > > > >> It looks like GSS needs the TGT to be encoded in the Subject
> > somehow?
> > > >
> > > > Yes, in the TokenAuthLoginModule, some credentials should be added
> > > > to subject private credentials.
> > > > I will take some time to fix it.
> > > >
> > > > Regards,
> > > > Jiajia
> > > >
> > > > -----Original Message-----
> > > > From: Zheng, Kai
> > > > Sent: Saturday, July 2, 2016 6:31 AM
> > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>;
> > > coheigea@apache.org<mailto:coheigea@apache.org>; Li, Jiajia <
> > > > jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > > > Subject: RE: JWT pre-authentication - get JWT token on service
> > > > side
> > > >
> > > > Hi Colm,
> > > >
> > > > I didn't check the codes yet, but generally the module should do
> > > > the similar thing as Krb5LoginModule in the post process of login.
> > > > You seemed to find a bug in the new module.
> > > >
> > > > @Jiajia, would you have some comments? Thanks.
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org>]
> > > > Sent: Friday, July 01, 2016 7:09 PM
> > > > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > > side
> > > >
> > > > Hi Kai,
> > > >
> > > > Thanks for your reply. Ok writing a JAAS LoginModule that wraps
> > > > the Kerby API is fine with me. However, if I look at the existing
> > > > TokenAuthLoginModule, it just adds the credential via:
> > > >
> > > > subject.getPublicCredentials().add(krbToken);
> > > >
> > > > It looks like GSS needs the TGT to be encoded in the Subject somehow?
> > > > Please look at the following @Ignore'd test. I'm getting the
> > > > Subject using the TokenAuthLoginModule and then attempting to get
> > > > a service ticket using the GSS API and the Subject. It fails with
> "Caused by:
> > > > org.ietf.jgss.GSSException: No valid credentials provided
> > > > (Mechanism
> > > level:
> > > > Failed to find any Kerberos tgt)":
> > > >
> > > >
> > > > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=
> > > > co
> > > > mm
> > > > it;h=68933ae0
> > > >
> > > > Colm.
> > > >
> > > >
> > > > On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai <kai.zheng@intel.com
> > <mailto:
> > > kai.zheng@intel.com>> wrote:
> > > >
> > > > > Sorry for the late. Just got a chance looking at the codes closely.
> > > > >
> > > > > I thought it's clearly right in the following test, where it
> > > > > logins first via jaas, then get tgt, then sgt, and then at last
> > > > > you wrap the sgt in a gss token. It got the gss token (roughly a
> > > > > AppReq (of
> > > > > sgt) in a token
> > > > > wrapper) and then let it be validated against a server key.
> > > > >
> > > > >     @Test
> > > > >     public void testGss() throws Exception {
> > > > >         Subject clientSubject = loginClientUsingTicketCache();
> > > > >         Set<Principal> clientPrincipals =
> > > clientSubject.getPrincipals();
> > > > >         Assert.assertFalse(clientPrincipals.isEmpty());
> > > > >
> > > > >         // Get the TGT
> > > > >         Set<KerberosTicket> privateCredentials =
> > > > >
> > > >  clientSubject.getPrivateCredentials(KerberosTicket.class);
> > > > >         Assert.assertFalse(privateCredentials.isEmpty());
> > > > >         KerberosTicket tgt = privateCredentials.iterator().next();
> > > > >         Assert.assertNotNull(tgt);
> > > > >
> > > > >         // Get the service ticket
> > > > >         KerberosClientExceptionAction action =
> > > > >                 new
> > > > > KerberosClientExceptionAction(clientPrincipals.iterator().next(),
> > > > >                         getServerPrincipal());
> > > > >
> > > > >         byte[] kerberosToken = (byte[])
> > > > > Subject.doAs(clientSubject, action);
> > > > >         Assert.assertNotNull(kerberosToken);
> > > > >
> > > > >         validateServiceTicket(kerberosToken);
> > > > >     }
> > > > >
> > > > > I don't think it's right here. The point is the bytes to
> > > > > validate at the last step shouldn’t be the sgt directly,
> > > > > instead, it should be a gss token of AppReq of the sgt. But you
> > > > > might ask how to generate the gss token? I don't have better
> > > > > idea than the way used in the above test method, that's to say,
> > > > > better to use GSSAPI layer in JRE directly, since the Kerby one
> hasn't been ready yet.
> > > > >
> > > > > But how you proceed in the way as above? As you told in previous
> > > > > emails, you don’t want to use jaas login modules, but rather use
> > > > > the Kerby client api directly. I would suggest you still go
> > > > > starting with jaas, doing everything you want in a jaas login
> > > > > module (like calling kerby client api) and obtain a valid
> > > > > logined subject or security context, and then do the left as you
> > > > > did in the above test method. It should be able to work, like we
> > > > > did or will do in the token
> > > login module.
> > > > >
> > > > >     @Test
> > > > >     @org.junit.Ignore
> > > > >     public void testKerbyClientAndGssService() throws Exception {
> > > > >         KrbClient client = getKrbClient();
> > > > >         client.init();
> > > > >
> > > > >         try {
> > > > >             // Get a service ticket using Kerby APIs
> > > > >             TgtTicket tgt =
> > > > > client.requestTgt(getClientPrincipal(),
> > > > > getClientPassword());
> > > > >             Assert.assertTrue(tgt != null);
> > > > >
> > > > >             SgtTicket tkt = client.requestSgt(tgt,
> > > getServerPrincipal());
> > > > >             Assert.assertTrue(tkt != null);
> > > > >
> > > > >             Credential credential = new Credential(tkt,
> > > > > tgt.getClientPrincipal());
> > > > >             CredentialCache cCache = new CredentialCache();
> > > > >             cCache.addCredential(credential);
> > > > >
> > > > > cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
> > > > >
> > > > >             ByteArrayOutputStream bout = new
> ByteArrayOutputStream();
> > > > >             CredCacheOutputStream os = new
> > CredCacheOutputStream(bout);
> > > > >             cCache.store(bout);
> > > > >             os.close();
> > > > >
> > > > >             // Now validate the ticket using GSS
> > > > >             validateServiceTicket(bout.toByteArray());
> > > > >         } catch (Exception e) {
> > > > >             e.printStackTrace();
> > > > >             Assert.fail();
> > > > >         }
> > > > >     }
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org>]
> > > > > Sent: Wednesday, June 29, 2016 4:37 PM
> > > > > To:
> > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > > > side
> > > > >
> > > > > Sure, no rush :-)
> > > > >
> > > > > Colm.
> > > > >
> > > > > On Wed, Jun 29, 2016 at 2:48 AM, Zheng, Kai <kai.zheng@intel.com
> > > <mailto:kai.zheng@intel.com>> wrote:
> > > > >
> > > > > > Hi Colm, I will look at this late of today. Hope it works for
> you.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org>]
> > > > > > Sent: Tuesday, June 28, 2016 10:00 PM
> > > > > > To:
> > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > > > > > Subject: Re: JWT pre-authentication - get JWT token on service
> > > > > > side
> > > > > >
> > > > > > Hi Kai,
> > > > > >
> > > > > > Could you take a look at the @Ignore'd test-case I just
> committed:
> > > > > >
> > > > > >
> > > > > > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.gi
> > > > > > t;
> > > > > > a=
> > > > > > bl
> > > > > > ob
> > > > > > diff;f=kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby
> > > > > > /k
> > > > > > er
> > > > > > be
> > > > > > ro
> > > > > > s/kerb/server/GssInteropTest.java;h=7e0d269f6e0c19fb4f750dd985
> > > > > > 42
> > > > > > a4
> > > > > > d5
> > > > > > 01
> > > > > > 1e1dc5;hp=832d59dda4b0b0739ef5a1228da0b7bb20c10ab9;hb=1bce738d
> > > > > > ;h
> > > > > > pb
> > > > > > =7
> > > > > > 9d
> > > > > > 4a584129026bcf920dd1ae5c28c27c6971412
> > > > > >
> > > > > > It gets a SgtTicket using Kerby and tries to get the resulting
> > > > > > service token in byte array form to validate with GSS. Running
> > > > > > the
> > > > test leads to:
> > > > > >
> > > > > > Caused by: GSSException: Defective token detected (Mechanism
> level:
> > > > > > GSSHeader did not find the right tag)
> > > > > >
> > > > > > I get the same error if I just do
> "sgtTicket.getTicket().encode()".
> > > > > >
> > > > > > Colm.
> > > > > >
> > > > > > On Thu, Jun 23, 2016 at 9:26 PM, Zheng, Kai
> > > > > > <kai.zheng@intel.com
> > > <mailto:kai.zheng@intel.com>>
> > > > wrote:
> > > > > >
> > > > > > > I’m just back from my sleep. ☺
> > > > > > >
> > > > > > > Regarding how to get the service ticket from SgtTicket
> > > > > > > object in bytes, probably you do
> > > > > > > sgtTicket.getTicket().encode(). If it doesn’t work, please
> > > > > > > reference the codes in CredCacheOutputStream.java to see how
> > > > > > > it store a ticket in a
> > file.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Kai
> > > > > > >
> > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org>]
> > > > > > > Sent: Thursday, June 23, 2016 11:25 PM
> > > > > > > To: Zheng, Kai
> > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > > > > > Cc:
> > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > > > > > >
> > > > > > > Subject: Re: JWT pre-authentication - get JWT token on
> > > > > > > service side
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Jun 23, 2016 at 3:28 PM, Zheng, Kai
> > > > > > > <kai.zheng@intel.com
> > > <mailto:kai.zheng@intel.com>
> > > > > <mailto:
> > > <mailto:%0b>> > > >
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > wrote:
> > > > > > > I see. Why you want to validate it using GSS on the client
> side?
> > > > > > > Because the client gets it and then should just trust it,
> right?
> > > > > > > To validate a service ticket needs the service key or
> > > > > > > keytab, which is why I thought it could be on the server side.
> > > > > > >
> > > > > > > Just to test that it works! See the unit test called
> > "unitGSSTest"
> > > > > here:
> > > > > > >
> > > > > > >
> > > > > > > https://github.com/coheigea/testcases/blob/master/apache/cxf
> > > > > > > /c
> > > > > > > xf
> > > > > > > -k
> > > > > > > er
> > > > > > > be
> > > > > > > ros-kerby/src/test/java/org/apache/coheigea/cxf/kerberos/aut
> > > > > > > he
> > > > > > > nt
> > > > > > > ic
> > > > > > > at
> > > > > > > io
> > > > > > > n/AuthenticationTest.java
> > > > > > > Using the GSS API I do:
> > > > > > >
> > > > > > > byte[] ticket = (byte[]) Subject.doAs(clientSubject, action);
> ...
> > > > > > > validateServiceTicket(ticket);
> > > > > > >
> > > > > > >
> > > > > > > I got your scenario. Are you able to obtain the service
> > > > > > > ticket or
> > > > not?
> > > > > > You
> > > > > > > seem to because you said you can use a JWT token for that.
> > > > > > > But then you asked how to access the service ticket on the
> > > > > > > client side using the Kerby API. Did you have the SgtTicket in
> hand?
> > > > > > > If yes, I thought then you can extract something from it to
> > > > > > > put into the SOAP
> > > > header.
> > > > > > > Could you point to the relevant spec about that? I may then
> > > > > > > have
> > > > > concrete idea to help.
> > > > > > >
> > > > > > > Yes I have the SgtTicket in hand. Now I want to extract the
> > > > > > > service
> > > > > > ticket
> > > > > > > from this class as an array of bytes, similar to what I get
> > > > > > > above from Subject.doAs using the GSS API. I know how to put
> > > > > > > the Kerberos token in
> > > > > > the
> > > > > > > SOAP header, my question is how to get it from SgtTicket in
> > > > > > > the first
> > > > > > place
> > > > > > > :-)
> > > > > > > Thanks again for your help,
> > > > > > >
> > > > > > > Colm.
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > > Kai
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> > > coheigea@apache.org><mailto:
> > > > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > > Sent: Thursday, June 23, 2016 9:40 PM
> > > > > > > To:
> > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.org
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.or
> > > >g>
> > > >>
> > > > > > > Subject: Re: JWT pre-authentication - get JWT token on
> > > > > > > service side
> > > > > > >
> > > > > > > On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai
> > > > > > > <kai.zheng@intel.com
> > > <mailto:kai.zheng@intel.com>
> > > > > <mailto:
> > > <mailto:%0b>> > > >
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > wrote:
> > > > > > >
> > > > > > > >
> > > > > > > > >> How do I extract the token from SgtTicket that I can
> > > > > > > > >> validate using
> > > > > > > GSS?
> > > > > > > > Sorry, but where do you want to do this? App client side
> > > > > > > > or server
> > > > > > side?
> > > > > > > > If on server side, I thought you have already made it, as
> > > > > > > > your previous email notified, being able to query/extract
> > > > > > > > the authorization data and get token from it. Would you
> > > > > > > > clarify some
> > > > bit?
> > > > > > > >
> > > > > > >
> > > > > > > On the client side. So what I want to do is use the Kerby
> > > > > > > API to get a service ticket (using a JWT token) and then
> > > > > > > extract the ticket from the
> > > > > > KDC
> > > > > > > response + validate it using GSS. For example, for SOAP web
> > > > > > > services, the service ticket is inserted into the SOAP
> > > > > > > header of the web services call
> > > > > > in
> > > > > > > BASE-64 format. So the question is, how can I get access to
> > > > > > > the service ticket on the client side using the Kerby API?
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Colm.
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Kai
> > > > > > > >
> > > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org
> <mailto:
> > > coheigea@apache.org><mailto:
> > > > > > > coheigea@apache.org<mailto:coheigea@apache.org>>]
> > > > > > > > Sent: Thursday, June 23, 2016 7:59 PM
> > > > > > > > To: Zheng, Kai
> > > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>
> > > > > > > > Cc:
> > > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache.o
> > > > > > > > rg
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.or
> > > >g>
> > > >>
> > > > > > > > Subject: Re: JWT pre-authentication - get JWT token on
> > > > > > > > service side
> > > > > > > >
> > > > > > > > Hi Kai,
> > > > > > > >
> > > > > > > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai
> > > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > > > <mailto:
> > > <mailto:%0b>> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com
> > > >><mailto:
> > > > > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>> wrote:
> > > > > > > >
> > > > > > > > Great question. Here what you need would be a login module
> > > > > > > > using token, and the module will send the token to KDC for
> > > > > > > > a TGT to get a SGT that's to be used in a GSS session. We
> > > > > > > > have already the module, please look at TokenAuthLoginModule.
> > > > > > > >
> > > > > > > > From what I can see, the TokenAuthLoginModule just gets
> > > > > > > > the TGT and not the SGT. However, I can get the service
> > > > > > > > ticket easily enough via the Kerby API from this. How do I
> > > > > > > > extract the token from SgtTicket that I can validate using
> GSS?
> > > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Kai
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org
> <mailto:
> > > coheigea@apache.org><mailto:
> > > > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > > > Sent: Wednesday, June 22, 2016 9:36 PM
> > > > > > > > To:
> > > > > > > >kerby@directory.apache.org<mailto:kerby@directory.apache.or
> > > > > > > >g
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.or
> > > >g>
> > > > > > > ><mailto:kerby@directory.apache.org<mailto:
> > > kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> > > kerby@directory.apache>.
> > > > > > > >or
> > > > > > > >g>>
> > > > > > > > Subject: Re: JWT pre-authentication - get JWT token on
> > > > > > > >service side
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > Some more questions on this task:
> > > > > > > >
> > > > > > > > 1) Kai, you mentioned the AuthzToken type. Is this defined
> > > > > > > > somewhere so that I can add it in to the AuthorizationType
> > class?
> > > > > > > >
> > > > > > > > 2) Currently, the TokenIssuer class asks the
> > > > > > > > IdentityService for the authorization data. However, the
> > > > > > > > IdentityService doesn't have access to the token. Is it
> > > > > > > > reasonable default behaviour to insert the received token
> > > > > > > > in the TokenIssuer as the authorization data, and if none
> > > > > > > > exists fall back to ask the IdentityService for any
> > > > > > > > authorization
> > > > > > > data?
> > > > > > > >
> > > > > > > > 3) I can extract the token on the service side using the
> > > > > > > > GSS API in the way suggested by Kai. However, how can I
> > > > > > > > send the token to the KDC on the client side using GSS?
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > Colm.
> > > > > > > >
> > > > > > > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai
> > > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > > > <mailto:
> > > <mailto:%0b>> > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com
> > > >><mailto:
> > > > > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>> wrote:
> > > > > > > >
> > > > > > > > > It's not a bug. It works that way, the temp value will
> > > > > > > > > be there only after you have decode/decrypt the part.
> > > > > > > > >
> > > > > > > > > Note SGT is used/consumed in app server side, and can be
> > > > > > > > > decrypted using the server ticket/key. I suggest you try
> > > > > > > > > this in the GssAppTest codes using the example code I
> > > > > > > > > provided in my last email, where you should be able to
> > > > > > > > > query/extract the authorization data. If you put the
> > > > > > > > > token in the authorization data, then after decoding it,
> > > > > > > > > you could
> > > extract token from it.
> > > > > > > > > I remembered we had defined the AuthzToken type for this
> > > > > > > > > actually
> > > > > but guess it's not used yet.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Kai
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org
> > <mailto:
> > > coheigea@apache.org><mailto:
> > > > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > > > > Sent: Friday, June 17, 2016 7:21 PM
> > > > > > > > > To:
> > > > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apache
> > > > > > > > > .o
> > > > > > > > > rg
> > > ><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.or
> > > >g>
> > > > > > > ><mailto:kerby@directory.apache.org<mailto:
> > > kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> > > kerby@directory.apache>.
> > > > > > > >or
> > > > > > > >g>>
> > > > > > > > > Subject: Re: JWT pre-authentication - get JWT token on
> > > > > > > > > service side
> > > > > > > > >
> > > > > > > > > Thanks Kai and Jiajia!
> > > > > > > > >
> > > > > > > > > I'm trying to get access to the authorization data using
> > > > > > > > > the Kerby API after getting a service ticket:
> > > > > > > > >
> > > > > > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken,
> > > > > > > > > serverPrinc, cCacheFile.getPath());
> > > > > > > > >
> > > > > > > > > However the following is null:
> > > > > > > > >
> > > > > > > > > tkt.getTicket().getEncPart()
> > > > > > > > >
> > > > > > > > > Is this a bug or how else can I parse the ticket to get
> > > > > > > > > the authorization data?
> > > > > > > > >
> > > > > > > > > Colm.
> > > > > > > > >
> > > > > > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai
> > > > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com
> >><mailto:
> > > <mailto:%0b>> > > > > kai.zheng@intel.com<mailto:kai.zheng@intel.com
> > > ><mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>> wrote:
> > > > > > > > >
> > > > > > > > > > Thanks Jiajia for the first question!
> > > > > > > > > >
> > > > > > > > > > For the second one, since you're using GSS the even
> > > > > > > > > > lower level, which is more fine, and should be totally
> > doable. Ref.
> > > > > > > > > > the following
> > > > > > > > doc:
> > > > > > > > > >
> > > > > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security
> > > > > > > > > > /j
> > > > > > > > > > gs s/ sp ec/c om /s
> > > > > > > > > > un/security/jgss/ExtendedGSSContext.html
> > > > > > > > > >
> > > > > > > > > >       GSSContext ctxt = m.createContext(...)
> > > > > > > > > >       // Establishing the context
> > > > > > > > > >       if (ctxt instanceof ExtendedGSSContext) {
> > > > > > > > > >           ExtendedGSSContext ex =
> (ExtendedGSSContext)ctxt;
> > > > > > > > > >           try {
> > > > > > > > > >               Key key = (key)ex.inquireSecContext(
> > > > > > > > > >                       InquireType.KRB5_GET_SESSION_KEY);
> > > > > > > > > >               // read key info
> > > > > > > > > >           } catch (GSSException gsse) {
> > > > > > > > > >               // deal with exception
> > > > > > > > > >           }
> > > > > > > > > >       }
> > > > > > > > > >
> > > > > > > > > > As you can see after established the GSS context, you
> > > > > > > > > > can query the SESSION_KEY from the layer. You can also
> > > > > > > > > > query AUTHZ_DATA field
> > > > > > > > > similarly!
> > > > > > > > > > After you get authz data, it's up to you to decode it,
> > > > > > > > > > say using Kerby library to decode the ASN1 object and
> > > > > > > > > > extract any info in it like the
> > > > > > > > > token.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > Kai
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: Li, Jiajia [mailto:jiajia.li@intel.com<mailto:
> > > jiajia.li@intel.com><mailto:
> > > > > > > jiajia.li@intel.com<mailto:jiajia.li@intel.com>><mailto:
> > > > > > > > jiajia.li@intel.com<mailto:jiajia.li@intel.com><mailto:
> > > jiajia.li@intel.com<mailto:jiajia.li@intel.com>>>]
> > > > > > > > > > Sent: Thursday, June 16, 2016 7:50 PM
> > > > > > > > > > To:
> > > > > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apac
> > > > > > > > > > he
> > > > > > > > > > .org
> > > ><mailto:kerby@directory.apache.o<mailto:kerby@directory.apache.o>
> > > > > > > > > > rg
> > > > > > > ><mailto:kerby@directory.apache.org<mailto:
> > > kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> > > kerby@directory.apache>.
> > > > > > > >or
> > > > > > > >g>>;
> > > > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>>
> > > > > > > > > > Subject: RE: JWT pre-authentication - get JWT token on
> > > > > > > > > > service side
> > > > > > > > > >
> > > > > > > > > > Hi Colm,
> > > > > > > > > >
> > > > > > > > > > For the first question: I think now the token has not
> > > > > > > > > > been put into the issued service ticket as
> > > > > > > > > > authorization
> > data.
> > > > > > > > > > You can look at issueTicket()#TgsRequest.java in
> > > > > > > > > > server side
> > > > for detail.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > Jiajia
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org
> > > <mailto:coheigea@apache.org><mailto:
> > > > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > > > > > Sent: Thursday, June 16, 2016 7:19 PM
> > > > > > > > > > To:
> > > > > > > > > > kerby@directory.apache.org<mailto:kerby@directory.apac
> > > > > > > > > > he
> > > > > > > > > > .org
> > > ><mailto:kerby@directory.apache.o<mailto:kerby@directory.apache.o>
> > > > > > > > > > rg
> > > > > > > ><mailto:kerby@directory.apache.org<mailto:
> > > kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> > > kerby@directory.apache>.
> > > > > > > >or
> > > > > > > >g>>
> > > > > > > > > > Subject: Re: JWT pre-authentication - get JWT token on
> > > > > > > > > > service side
> > > > > > > > > >
> > > > > > > > > > Thanks Kai. A few questions below.
> > > > > > > > > >
> > > > > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai
> > > > > > > > > > <kai.zheng@intel.com<mailto:kai.zheng@intel.com>
> > > > > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > > > > > > > <mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com
> > ><mailto:
> > > kai.zheng@intel.com<mailto:kai.zheng@intel.com>>>>
> > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > 1. For issuing service ticket, the token used to do
> > > > > > > > > > > the authentication or a token derivation was put
> > > > > > > > > > > into the issued service ticket as authorization
> > > > > > > > > > > data. I'm not sure in current Kerby impl, it has
> > > > > > > > > > > done this or not. If not, it should be not difficult
> > > > > > > > > > > to support it, considering we have some Kerby
> > > > > > > > authorization support now.
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I can take a look at this. Can you give me some
> > > > > > > > > > pointers in the code so that I know where to start?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > 2. In application server side, it should be able to
> > > > > > > > > > > query and extract out the token encapsulated in the
> > > > > > > > > > > authorization data field in the service ticket. This
> > > > > > > > > > > should be doable now, because a proposal from me
> > > > > > > > > > > quite some ago had already been accepted by Oracle
> > > > > > > > > > > Java, as recorded in the following ticket, though I
> > > > > > > > > > > hadn't got the chance to verify it using latest JDK
> > > > > > > > > > > update like
> > > > > > > JDK8.
> > > > > > > > > > >
> > > > > > > > > > > JDK-8044085, our extension proposal accepted and
> > committed:
> > > > > > > > > > > allowing querying authorization data field of
> > > > > > > > > > > service
> > > ticket.
> > > > > > > > > > > https://bugs.openjdk.java.net/browse/JDK-8044085
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > The JDK service ticket only refers to SASL. If I'm
> > > > > > > > > > just using GSS on the service side, is it already
> supported?
> > > > > > > > > > If so, how can I
> > > > > > > extract it?
> > > > > > > > > >
> > > > > > > > > > Colm.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > So in summary, if you want to try this, I would
> > > > > > > > > > > suggest please go ahead since it's doable now.
> > > > > > > > > > > Please let me know if you have other
> > > > > > > > > > questions.
> > > > > > > > > > >
> > > > > > > > > > > Regards,
> > > > > > > > > > > Kai
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: Colm O hEigeartaigh
> > > > > > > > > > > [mailto:coheigea@apache.org
> > > <mailto:coheigea@apache.org>
> > > > <mailto:
> > > > > > > coheigea@apache.org<mailto:coheigea@apache.org>><mailto:
> > > > > > > > coheigea@apache.org<mailto:coheigea@apache.org><mailto:
> > > coheigea@apache.org<mailto:coheigea@apache.org>>>]
> > > > > > > > > > > Sent: Thursday, June 16, 2016 5:54 PM
> > > > > > > > > > > To:
> > > > > > > > > > > kerby@directory.apache.org<mailto:
> > > kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> > > kerby@directory.apache>
> > > > > > > > > > > .o
> > > > > > > > > > > rg
> > > > > > > ><mailto:kerby@directory.apache.org<mailto:
> > > kerby@directory.apache.org><mailto:kerby@directory.apache<mailto:
> > > kerby@directory.apache>.
> > > > > > > >or
> > > > > > > >g>>
> > > > > > > > > > > Subject: JWT pre-authentication - get JWT token on
> > > > > > > > > > > service side
> > > > > > > > > > >
> > > > > > > > > > > Hi all,
> > > > > > > > > > >
> > > > > > > > > > > For the JWT pre-authentication use-case, how can I
> > > > > > > > > > > get access to the token information on the service
> side?
> > > > > > > > > > >
> > > > > > > > > > > From the documentation: "The service authenticates
> > > > > > > > > > > the ticket, extracts the token derivation, then
> > > > > > > > > > > enforce any advanced authorization by employing the
> > > > > > > > > > > token derivation and token
> > > > > > > attributes"
> > > > > > > > > > >
> > > > > > > > > > > Is there an example in the code to look at?
> > > > > > > > > > >
> > > > > > > > > > > Colm.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Colm O hEigeartaigh
> > > > > > > > > > >
> > > > > > > > > > > Talend Community Coder http://coders.talend.com
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Colm O hEigeartaigh
> > > > > > > > > >
> > > > > > > > > > Talend Community Coder http://coders.talend.com
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Colm O hEigeartaigh
> > > > > > > > >
> > > > > > > > > Talend Community Coder
> > > > > > > > > http://coders.talend.com
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Colm O hEigeartaigh
> > > > > > > >
> > > > > > > > Talend Community Coder
> > > > > > > > http://coders.talend.com
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Colm O hEigeartaigh
> > > > > > > >
> > > > > > > > Talend Community Coder
> > > > > > > > http://coders.talend.com
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Colm O hEigeartaigh
> > > > > > >
> > > > > > > Talend Community Coder
> > > > > > > http://coders.talend.com
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Colm O hEigeartaigh
> > > > > > >
> > > > > > > Talend Community Coder
> > > > > > > http://coders.talend.com
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Colm O hEigeartaigh
> > > > > >
> > > > > > Talend Community Coder
> > > > > > http://coders.talend.com
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Colm O hEigeartaigh
> > > > >
> > > > > Talend Community Coder
> > > > > http://coders.talend.com
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message