Hallo,

 

My name is Erwin, and I’ve got a question regarding the Kerberos authorization.

 

We want to use keycloak for a project where we need to let people login through Kerberos.

The user federation providers are only sortable by priority but we’ll probably get 20 or more providers for this application.

Now we want filter based on the real the user is in. I’ve tried a few things and I saw it was possible to decrypt the Kerberos token with base64.

After that it was possible to add something of the following on line 430 of file

String decodedToken = new String(Base64.decode(spnegoToken));
if(!decodedToken.contains(kerberosConfig.getKerberosRealm()))
{
   return CredentialValidationOutput.failed();
}

This way the token won’t be validated against the Kerberos server that isn’t configured for the specific realm.

I’m not too familiour with the whole Kerberos token, so I don’t know if this will work in all situations.

Can someone tell me if this is the “correct” way of doing this, or is there some other way I haven’t seen yet?

 

Thank in advance,

 

Erwin Oldenkamp

 

http://www.topicusfinance.com/mailsignature/images/phone.png +31(0)88 77 88 990

http://www.topicusfinance.com/mailsignature/images/email.png erwin.oldenkamp@topicus.nl

http://www.topicusfinance.com/mailsignature/images/logo.png

Koggelaan 3-A

8017 JH Zwolle

Website Linkedin Twitter Facebook

http://www.topicusfinance.com/mailsignature/images/footer.png