It's not a bug. It works that way, the temp value will be there only after you have decode/decrypt the part.
Note SGT is used/consumed in app server side, and can be decrypted using the server ticket/key. I suggest you try this in the GssAppTest codes using the example code I provided in my last email, where you should be able to query/extract the authorization data. If you put the token in the authorization data, then after decoding it, you could extract token from it. I remembered we had defined the AuthzToken type for this actually but guess it's not used yet. Regards, Kai -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Friday, June 17, 2016 7:21 PM To: [email protected] Subject: Re: JWT pre-authentication - get JWT token on service side Thanks Kai and Jiajia! I'm trying to get access to the authorization data using the Kerby API after getting a service ticket: SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, cCacheFile.getPath()); However the following is null: tkt.getTicket().getEncPart() Is this a bug or how else can I parse the ticket to get the authorization data? Colm. On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <[email protected]> wrote: > Thanks Jiajia for the first question! > > For the second one, since you're using GSS the even lower level, which > is more fine, and should be totally doable. Ref. the following doc: > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/com/s > un/security/jgss/ExtendedGSSContext.html > > GSSContext ctxt = m.createContext(...) > // Establishing the context > if (ctxt instanceof ExtendedGSSContext) { > ExtendedGSSContext ex = (ExtendedGSSContext)ctxt; > try { > Key key = (key)ex.inquireSecContext( > InquireType.KRB5_GET_SESSION_KEY); > // read key info > } catch (GSSException gsse) { > // deal with exception > } > } > > As you can see after established the GSS context, you can query the > SESSION_KEY from the layer. You can also query AUTHZ_DATA field similarly! > After you get authz data, it's up to you to decode it, say using Kerby > library to decode the ASN1 object and extract any info in it like the token. > > Regards, > Kai > > -----Original Message----- > From: Li, Jiajia [mailto:[email protected]] > Sent: Thursday, June 16, 2016 7:50 PM > To: [email protected]; [email protected] > Subject: RE: JWT pre-authentication - get JWT token on service side > > Hi Colm, > > For the first question: I think now the token has not been put into > the issued service ticket as authorization data. You can look at > issueTicket()#TgsRequest.java in server side for detail. > > Regards, > Jiajia > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Thursday, June 16, 2016 7:19 PM > To: [email protected] > Subject: Re: JWT pre-authentication - get JWT token on service side > > Thanks Kai. A few questions below. > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <[email protected]> wrote: > > > > > 1. For issuing service ticket, the token used to do the > > authentication or a token derivation was put into the issued service > > ticket as authorization data. I'm not sure in current Kerby impl, it > > has done this or not. If not, it should be not difficult to support > > it, considering we have some Kerby authorization support now. > > > > I can take a look at this. Can you give me some pointers in the code > so that I know where to start? > > > > > > 2. In application server side, it should be able to query and > > extract out the token encapsulated in the authorization data field > > in the service ticket. This should be doable now, because a proposal > > from me quite some ago had already been accepted by Oracle Java, as > > recorded in the following ticket, though I hadn't got the chance to > > verify it using latest JDK update like JDK8. > > > > JDK-8044085, our extension proposal accepted and committed: allowing > > querying authorization data field of service ticket. > > https://bugs.openjdk.java.net/browse/JDK-8044085 > > > The JDK service ticket only refers to SASL. If I'm just using GSS on > the service side, is it already supported? If so, how can I extract it? > > Colm. > > > > > > > > So in summary, if you want to try this, I would suggest please go > > ahead since it's doable now. Please let me know if you have other > questions. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Thursday, June 16, 2016 5:54 PM > > To: [email protected] > > Subject: JWT pre-authentication - get JWT token on service side > > > > Hi all, > > > > For the JWT pre-authentication use-case, how can I get access to the > > token information on the service side? > > > > From the documentation: "The service authenticates the ticket, > > extracts the token derivation, then enforce any advanced > > authorization by employing the token derivation and token attributes" > > > > Is there an example in the code to look at? > > > > Colm. > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
