On Thu, Jun 23, 2016 at 2:31 PM, Zheng, Kai <[email protected]> wrote:
> > >> How do I extract the token from SgtTicket that I can validate using GSS? > Sorry, but where do you want to do this? App client side or server side? > If on server side, I thought you have already made it, as your previous > email notified, being able to query/extract the authorization data and get > token from it. Would you clarify some bit? > On the client side. So what I want to do is use the Kerby API to get a service ticket (using a JWT token) and then extract the ticket from the KDC response + validate it using GSS. For example, for SOAP web services, the service ticket is inserted into the SOAP header of the web services call in BASE-64 format. So the question is, how can I get access to the service ticket on the client side using the Kerby API? Thanks, Colm. > > Regards, > Kai > > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Thursday, June 23, 2016 7:59 PM > To: Zheng, Kai <[email protected]> > Cc: [email protected] > Subject: Re: JWT pre-authentication - get JWT token on service side > > Hi Kai, > > On Wed, Jun 22, 2016 at 3:11 PM, Zheng, Kai <[email protected]<mailto: > [email protected]>> wrote: > > Great question. Here what you need would be a login module using token, > and the module will send the token to KDC for a TGT to get a SGT that's to > be used in a GSS session. We have already the module, please look at > TokenAuthLoginModule. > > From what I can see, the TokenAuthLoginModule just gets the TGT and not > the SGT. However, I can get the service ticket easily enough via the Kerby > API from this. How do I extract the token from SgtTicket that I can > validate using GSS? > > > Regards, > Kai > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]>] > Sent: Wednesday, June 22, 2016 9:36 PM > To: [email protected]<mailto:[email protected]> > Subject: Re: JWT pre-authentication - get JWT token on service side > > Hi all, > > Some more questions on this task: > > 1) Kai, you mentioned the AuthzToken type. Is this defined somewhere so > that I can add it in to the AuthorizationType class? > > 2) Currently, the TokenIssuer class asks the IdentityService for the > authorization data. However, the IdentityService doesn't have access to the > token. Is it reasonable default behaviour to insert the received token in > the TokenIssuer as the authorization data, and if none exists fall back to > ask the IdentityService for any authorization data? > > 3) I can extract the token on the service side using the GSS API in the > way suggested by Kai. However, how can I send the token to the KDC on the > client side using GSS? > > Thanks, > > Colm. > > On Fri, Jun 17, 2016 at 4:41 PM, Zheng, Kai <[email protected]<mailto: > [email protected]>> wrote: > > > It's not a bug. It works that way, the temp value will be there only > > after you have decode/decrypt the part. > > > > Note SGT is used/consumed in app server side, and can be decrypted > > using the server ticket/key. I suggest you try this in the GssAppTest > > codes using the example code I provided in my last email, where you > > should be able to query/extract the authorization data. If you put the > > token in the authorization data, then after decoding it, you could > > extract token from it. I remembered we had defined the AuthzToken type > > for this actually but guess it's not used yet. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]>] > > Sent: Friday, June 17, 2016 7:21 PM > > To: [email protected]<mailto:[email protected]> > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > Thanks Kai and Jiajia! > > > > I'm trying to get access to the authorization data using the Kerby API > > after getting a service ticket: > > > > SgtTicket tkt = tokenClient.requestSgt(krbToken, serverPrinc, > > cCacheFile.getPath()); > > > > However the following is null: > > > > tkt.getTicket().getEncPart() > > > > Is this a bug or how else can I parse the ticket to get the > > authorization data? > > > > Colm. > > > > On Thu, Jun 16, 2016 at 1:01 PM, Zheng, Kai <[email protected]<mailto: > [email protected]>> wrote: > > > > > Thanks Jiajia for the first question! > > > > > > For the second one, since you're using GSS the even lower level, > > > which is more fine, and should be totally doable. Ref. the following > doc: > > > > > > https://docs.oracle.com/javase/7/docs/jre/api/security/jgss/spec/com > > > /s un/security/jgss/ExtendedGSSContext.html > > > > > > GSSContext ctxt = m.createContext(...) > > > // Establishing the context > > > if (ctxt instanceof ExtendedGSSContext) { > > > ExtendedGSSContext ex = (ExtendedGSSContext)ctxt; > > > try { > > > Key key = (key)ex.inquireSecContext( > > > InquireType.KRB5_GET_SESSION_KEY); > > > // read key info > > > } catch (GSSException gsse) { > > > // deal with exception > > > } > > > } > > > > > > As you can see after established the GSS context, you can query the > > > SESSION_KEY from the layer. You can also query AUTHZ_DATA field > > similarly! > > > After you get authz data, it's up to you to decode it, say using > > > Kerby library to decode the ASN1 object and extract any info in it > > > like the > > token. > > > > > > Regards, > > > Kai > > > > > > -----Original Message----- > > > From: Li, Jiajia [mailto:[email protected]<mailto: > [email protected]>] > > > Sent: Thursday, June 16, 2016 7:50 PM > > > To: [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]> > > > Subject: RE: JWT pre-authentication - get JWT token on service side > > > > > > Hi Colm, > > > > > > For the first question: I think now the token has not been put into > > > the issued service ticket as authorization data. You can look at > > > issueTicket()#TgsRequest.java in server side for detail. > > > > > > Regards, > > > Jiajia > > > > > > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]>] > > > Sent: Thursday, June 16, 2016 7:19 PM > > > To: [email protected]<mailto:[email protected]> > > > Subject: Re: JWT pre-authentication - get JWT token on service side > > > > > > Thanks Kai. A few questions below. > > > > > > On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai <[email protected] > <mailto:[email protected]>> > > wrote: > > > > > > > > > > > 1. For issuing service ticket, the token used to do the > > > > authentication or a token derivation was put into the issued > > > > service ticket as authorization data. I'm not sure in current > > > > Kerby impl, it has done this or not. If not, it should be not > > > > difficult to support it, considering we have some Kerby > authorization support now. > > > > > > > > > > I can take a look at this. Can you give me some pointers in the code > > > so that I know where to start? > > > > > > > > > > > > > > 2. In application server side, it should be able to query and > > > > extract out the token encapsulated in the authorization data field > > > > in the service ticket. This should be doable now, because a > > > > proposal from me quite some ago had already been accepted by > > > > Oracle Java, as recorded in the following ticket, though I hadn't > > > > got the chance to verify it using latest JDK update like JDK8. > > > > > > > > JDK-8044085, our extension proposal accepted and committed: > > > > allowing querying authorization data field of service ticket. > > > > https://bugs.openjdk.java.net/browse/JDK-8044085 > > > > > > > > > The JDK service ticket only refers to SASL. If I'm just using GSS on > > > the service side, is it already supported? If so, how can I extract it? > > > > > > Colm. > > > > > > > > > > > > > > > > > > So in summary, if you want to try this, I would suggest please go > > > > ahead since it's doable now. Please let me know if you have other > > > questions. > > > > > > > > Regards, > > > > Kai > > > > > > > > -----Original Message----- > > > > From: Colm O hEigeartaigh [mailto:[email protected]<mailto: > [email protected]>] > > > > Sent: Thursday, June 16, 2016 5:54 PM > > > > To: [email protected]<mailto:[email protected]> > > > > Subject: JWT pre-authentication - get JWT token on service side > > > > > > > > Hi all, > > > > > > > > For the JWT pre-authentication use-case, how can I get access to > > > > the token information on the service side? > > > > > > > > From the documentation: "The service authenticates the ticket, > > > > extracts the token derivation, then enforce any advanced > > > > authorization by employing the token derivation and token attributes" > > > > > > > > Is there an example in the code to look at? > > > > > > > > Colm. > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
