Hi,
A web-application can renew an app-token any time extending an
application session. Renewing the Kerberos TGT in the webkdc-proxy token
however requires the user visiting the WebKDC.
So for extended periods of idle time the SSO session might expire before
the application session (given that the app-token has been refreshed in
the mean time).
That would be fine, however - IFF the application decides to embed the
Kerberos service ticket from the id-token in the app-token, to (say) be
able to do S4U2proxy request for further delegated credentials, it would
have no way to renew that service ticket before timeout unless it forces
the user to visit the WebKDC. But we don't know in advance when the user
will become idle, so we don't know when to do that.
Also,... renewing the basic app-token requires no special external
interaction from the application web-server, but renewing the Kerberos
service ticket do. ... and it would be preferable not to do that in
every request just to be sure it's renewed "as much as possible".
Wouldn't that effectively force you to operate with very long life times
for Kerberos service tickets if your application needs them to be valid
at some point during the application session?
Also, considering the WebAUTH protocol support for credential delegation
by using proxy tokens I was wondering if that could be replaced by
S4U2proxy support on the Kerberos level - thus making it the same
mechanism used to delegate throughout the Kerberos infrastructure.
/Peter
- Credential delegation, renewal and S4U Peter Mogensen
-
