Re: [keycloak-dev] Putting a value into a custom Protocol mapper

OK, I have an ugly hack. I hope someone might have a suggestion more aligned with Keycloak architecture My hack is to use a ThreadLocal to hold the serialized Kerberos ticket in the LDAPStorageProvider public static final String KERBEROS_NOT_SET = "*NOT_SET"; public static final ThreadLocal<String> SERILIZED_KERBEROS_TICKET = new ThreadLocal<String>() { @Override protected String initialValue() { return KERBEROS_NOT_SET; } }; public boolean validPassword(RealmModel realm, UserModel user, String password) { if (kerberosConfig.isAllowKerberosAuthentication() && kerberosConfig.isUseKerberosForPasswordAuthentication()) { // Use Kerberos JAAS (Krb5LoginModule) KerberosUsernamePasswordAuthenticator authenticator = factory.createKerberosUsernamePasswordAuthenticator(kerberosConfig); boolean isValid = authenticator.validUser(user.getUsername(), password); if (isValid) { SERILIZED_KERBEROS_TICKET.set(authenticator.getSerializedKerberosTicket()); } return isValid; } else { // Use Naming LDAP API ... And in the UsernamePasswordForm 1: override the validate password method 2: write the serialized ticket as a user session note to the AuthenticationFlowContext. @Override public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) { boolean isValid = super.validatePassword(context, user, inputData); if (isValid) { saveKerbTicketClaim(context); } return isValid; } private void saveKerbTicketClaim(AuthenticationFlowContext context) { String kerbTicket = LDAPStorageProvider.SERILIZED_KERBEROS_TICKET.get(); if (!kerbTicket.equals(LDAPStorageProvider.KERBEROS_NOT_SET)) { context.getAuthenticationSession() .setUserSessionNote(KerberosConstants.GSS_DELEGATION_CREDENTIAL, kerbTicket); } LDAPStorageProvider.SERILIZED_KERBEROS_TICKET.remove(); return; } This is bad, but it works for now until someone can point out to me what I missed. -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org&gt; On Behalf Of Chris Smith Sent: Monday, June 17, 2019 5:38 PM To: keycloak-dev(a)lists.jboss.org; Marek Posolda <mposolda(a)redhat.com&gt; Subject: Re: [keycloak-dev] Putting a value into a custom Protocol mapper correction From: Chris Smith Sent: Monday, June 17, 2019 5:15 PM To: keycloak-dev(a)lists.jboss.org; Marek Posolda <mposolda(a)redhat.com&gt; Subject: RE: Putting a value into a custom Protocol mapper I really need some help here I can not find out how to add a Claim after a successful Kerberos User/Password login This is as far as I know what is going on. This is in the LDAPStorageProvider class. The KerberosUsernamePasswordAuthenticator has been updated to hold the serialized Kerberos ticket. I now need to put this somewhere/somehow so that my custom Protocol mapper will put it into the Access Token public boolean validPassword(RealmModel realm, UserModel user, String password) { if (kerberosConfig.isAllowKerberosAuthentication() && kerberosConfig.isUseKerberosForPasswordAuthentication()) { // Use Kerberos JAAS (Krb5LoginModule) Map<String, String> state = new HashMap<>(); KerberosUsernamePasswordAuthenticator authenticator = factory.createKerberosUsernamePasswordAuthenticator(kerberosConfig); boolean isValidUser = authenticator.validUser(user.getUsername(), password); if (isValidUser) { String delegationCredential = authenticator.getSerializedKerberosTicket(); if (delegationCredential != null) { state.put("odic-fms-sso-kerberos-ticket-mapper", delegationCredential); } << WHAT GOES HERE?? >> return isValidUser; This is from my servlet KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal(); AccessToken at = kcp.getKeycloakSecurityContext().getToken(); Map<String, Object> otherClaims = at.getOtherClaims(); String otherClaim = (String)otherClaims.get("odic-fms-sso-kerberos-ticket-mapper"); GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(otherClaim); From: Chris Smith Sent: Friday, June 14, 2019 4:24 PM To: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> Subject: Putting a value into a custom Protocol mapper I'm trying to have a custom protocol mapper provide a serialized Kerberos ticket as a claim I have updated the KerberosUsernamePasswordAuthenticator so that it gets the ticket public Subject authenticateSubject(String username, String password) throws LoginException { String principal = getKerberosPrincipal(username); logger.debug("Validating password of principal: " + principal); loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password), createJaasConfiguration()); loginContext.login(); serializedKerberosTicket = serializeTicket(); logger.debug("Principal " + principal + " authenticated succesfully"); return loginContext.getSubject(); } private String serializeTicket() { KerberosTicket kerberosTicket = loginContext.getSubject() .getPrivateCredentials(KerberosTicket.class) .stream().findFirst().get(); try (ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos)){ oos.writeObject(kerberosTicket); return Base64.getEncoder().encodeToString(bos.toByteArray()); } catch (IOException e) { logger.error("Kerberos ticket serialization failed", e); return null; } } I reviewed the SPNEGOAuthenticator and traced it's execution to see how it adds the Kerberos ticket and I do not see that as a workable approach as it is so different from the Kerberos User/Password authenticator. Where can my custom KerberosUsernamePasswordAuthenticator put the serialized ticket so that my custom protocol mapper will get it and add it as a claim on my Access token? I have looked and googled with no luck. _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev