[keycloak-dev] Putting a value into a custom Protocol mapper
Chris Smith
chris.smith at cmfirstgroup.com
Mon Jun 17 18:14:30 EDT 2019
I really need some help here
I can not find out how to add a Claim after a successful Kerberos User/Password login
This is as far as I know what is going on.
This is in the LDAPStorageProvider class. The KerberosUsernamePasswordAuthenticator has been updated to hold the serialized Kerberos ticket. I now need to put this somewhere/somehow so that my custom Protocol mapper will put it into the Access Token
public boolean validPassword(RealmModel realm, UserModel user, String password) {
if (kerberosConfig.isAllowKerberosAuthentication() && kerberosConfig.isUseKerberosForPasswordAuthentication()) {
// Use Kerberos JAAS (Krb5LoginModule)
Map<String, String> state = new HashMap<>();
KerberosUsernamePasswordAuthenticator authenticator = factory.createKerberosUsernamePasswordAuthenticator(kerberosConfig);
boolean isValidUser = authenticator.validUser(user.getUsername(), password);
if (isValidUser) {
String delegationCredential = authenticator.getSerializedKerberosTicket();
if (delegationCredential != null) {
state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential);
}
<< WHAT GOES HERE?? >>
return isValidUser;
This is from my servlet
KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
AccessToken at = kcp.getKeycloakSecurityContext().getToken();
Map<String, Object> otherClaims = at.getOtherClaims();
String otherClaim = (String)otherClaims.get("odic-fms-sso-kerberos-ticket-mapper");
GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(otherClaim);
From: Chris Smith
Sent: Friday, June 14, 2019 4:24 PM
To: keycloak-dev at lists.jboss.org
Subject: Putting a value into a custom Protocol mapper
I'm trying to have a custom protocol mapper provide a serialized Kerberos ticket as a claim
I have updated the KerberosUsernamePasswordAuthenticator so that it gets the ticket
public Subject authenticateSubject(String username, String password) throws LoginException {
String principal = getKerberosPrincipal(username);
logger.debug("Validating password of principal: " + principal);
loginContext = new LoginContext("does-not-matter", null,
createJaasCallbackHandler(principal, password),
createJaasConfiguration());
loginContext.login();
serializedKerberosTicket = serializeTicket();
logger.debug("Principal " + principal + " authenticated succesfully");
return loginContext.getSubject();
}
private String serializeTicket() {
KerberosTicket kerberosTicket = loginContext.getSubject()
.getPrivateCredentials(KerberosTicket.class)
.stream().findFirst().get();
try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos)){
oos.writeObject(kerberosTicket);
return Base64.getEncoder().encodeToString(bos.toByteArray());
} catch (IOException e) {
logger.error("Kerberos ticket serialization failed", e);
return null;
}
}
I reviewed the SPNEGOAuthenticator and traced it's execution to see how it adds the Kerberos ticket and I do not see that as a workable approach as it is so different from the Kerberos User/Password authenticator.
Where can my custom KerberosUsernamePasswordAuthenticator put the serialized ticket so that my custom protocol mapper will get it and add it as a claim on my Access token?
I have looked and googled with no luck.
More information about the keycloak-dev
mailing list