[keycloak-dev] Adding a Kerberos ticket as a Claim (not SPNEGO)
Chris Smith
chris.smith at cmfirstgroup.com
Thu May 23 18:13:04 EDT 2019
I can get the Kerberos ticket I need when the KerberosUsernamePasswordAuthenticator performs a User/Password validation.
I have validated that the ticket can be used for IBM EIM(Enterprise Identity Mapping)
public Subject authenticateSubject(String username, String password) throws LoginException {
String principal = getKerberosPrincipal(username);
logger.debug("Validating password of principal: " + principal);
loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password),
createJaasConfiguration());
loginContext.login();
logger.debug("Principal " + principal + " authenticated succesfully");
Subject subject = loginContext.getSubject();
serializeKerberosTicket(subject);
return subject;
}
private void serializeKerberosTicket(Subject subject) {
Optional<KerberosTicket> kerbTicket = subject.getPrivateCredentials(KerberosTicket.class).stream().findFirst();
if (kerbTicket.isPresent()) {
try {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(kerbTicket.get());
String serializedKerberosTicket = Base64.encodeBytes(bos.toByteArray());
// TODO add as a claim
} catch (IOException e) {
logger.debug("Kerberos Ticket Serialize failed", e);
}
} else {
logger.debug("Kerberos Ticket was not found in Subject");
}
}
I tried to follow the SPNEGOAuthenticator but I got lost.
Is there an easy place to put the String serializedKerberosTicket so it will be added as a claim?
More information about the keycloak-dev
mailing list