[keycloak-dev] Putting a value into a custom Protocol mapper

[Chris Smith]

I'm trying to have a custom protocol mapper provide a serialized Kerberos ticket as a claim

I have updated the KerberosUsernamePasswordAuthenticator so that it gets the ticket

    public Subject authenticateSubject(String username, String password) throws LoginException {
        String principal = getKerberosPrincipal(username);

        logger.debug("Validating password of principal: " + principal);
        loginContext = new LoginContext("does-not-matter", null,
                createJaasCallbackHandler(principal, password),
                createJaasConfiguration());

        loginContext.login();
        serializedKerberosTicket = serializeTicket();
        logger.debug("Principal " + principal + " authenticated succesfully");
        return loginContext.getSubject();
    }

    private String serializeTicket() {
        KerberosTicket kerberosTicket = loginContext.getSubject()
                .getPrivateCredentials(KerberosTicket.class)
                .stream().findFirst().get();
    try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
           ObjectOutputStream oos = new ObjectOutputStream(bos)){
                oos.writeObject(kerberosTicket);
                return Base64.getEncoder().encodeToString(bos.toByteArray());
           } catch (IOException e) {
                logger.error("Kerberos ticket serialization failed", e);
                return null;
           }
    }

I reviewed the SPNEGOAuthenticator and traced it's execution to see how it adds the Kerberos ticket and I do not see that as a workable approach as it is so different from the Kerberos User/Password authenticator.

Where can my custom KerberosUsernamePasswordAuthenticator put the serialized ticket so that my custom protocol mapper will get it and add it as a claim on my Access token?

I have looked and googled with no luck.