[keycloak-dev] Adding a Kerberos ticket as a Claim (not SPNEGO)

Chris Smith chris.smith at cmfirstgroup.com
Thu May 23 18:13:04 EDT 2019


I can get the Kerberos ticket I need when the KerberosUsernamePasswordAuthenticator performs a User/Password validation.
I have validated that the ticket can be used for IBM EIM(Enterprise Identity Mapping)

                public Subject authenticateSubject(String username, String password) throws LoginException {
                                String principal = getKerberosPrincipal(username);

                                logger.debug("Validating password of principal: " + principal);
                                loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password),
                                                                createJaasConfiguration());

                                loginContext.login();
                                logger.debug("Principal " + principal + " authenticated succesfully");
                                Subject subject = loginContext.getSubject();
                                serializeKerberosTicket(subject);
                                return subject;
                }

                private void serializeKerberosTicket(Subject subject) {
                                Optional<KerberosTicket> kerbTicket = subject.getPrivateCredentials(KerberosTicket.class).stream().findFirst();
                                if (kerbTicket.isPresent()) {
                                                try {
                                                                ByteArrayOutputStream bos = new ByteArrayOutputStream();
                                                                ObjectOutputStream oos = new ObjectOutputStream(bos);
                                                                oos.writeObject(kerbTicket.get());
                                                                String serializedKerberosTicket = Base64.encodeBytes(bos.toByteArray());
                                                                // TODO add as a claim
                                                } catch (IOException e) {
                                                                logger.debug("Kerberos Ticket Serialize failed", e);
                                                }
                                } else {
                                                logger.debug("Kerberos Ticket was not found in Subject");
                                }
                }

I tried to follow the SPNEGOAuthenticator but I got lost.
Is there an easy place to put the String serializedKerberosTicket so it will be added as a claim?


More information about the keycloak-dev mailing list