[keycloak-user] GSS delegation credential mapper

Marek Posolda mposolda at redhat.com
Thu Aug 9 03:37:49 EDT 2018 

On 08/08/18 13:33, Paolo Tedesco wrote:
> Hi,
>
> I'm trying to configure the GSS credential mapper for an application.
> I've configured SPNEGO authentication on the server, and this is working.
> Then I've created an application (confidential client) and add a gss delegation credential mapper to the application, but I don't seem to get a claim with the GSS credentials in the token after I authenticate. If I understood correctly, I should see a claim in the access token named "gss_delegation_credential".
>
> Is there anything else I need to configure, like some additional mappers?
I think nothing else is needed on Keycloak side.

For the Kerberos, there is a need to configure the tickets as 
"forwardable" in the kerberos client configuration (usually in 
/etc/krb5.conf ). There might be also a need to configure browser (For 
example in FF it is "|network.negotiate-auth.delegation-uris" ).

|
||Good thing to detect, if the delegation is missing at the SPNEGO flow 
side or at Keycloak side is to enable DEBUG logging at least for the 
category: org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator . 
After successful login, you should see some message (see sources here):

String message =new StringBuilder("SPNEGO Security context accepted with token: " +responseToken)
         .append(", established: ").append(gssContext.isEstablished())
         .append(", credDelegState: ").append(gssContext.getCredDelegState())
         .append(", mutualAuthState: ").append(gssContext.getMutualAuthState())
         .append(", lifetime: ").append(gssContext.getLifetime())
         .append(", confState: ").append(gssContext.getConfState())
         .append(", integState: ").append(gssContext.getIntegState())
         .append(", srcName: ").append(gssContext.getSrcName())
         .append(", targName: ").append(gssContext.getTargName())
         .toString();
log.debug(message);

If you see the credDelegState is null, you know that you need to figure 
at the Kerberos/SPNEGO flow level. Otherwise at Keycloak level.

For inspiration, you can take a look at the "kerberos" example from the 
Keycloak-examples distribution, which is showing delegation.

Marek
> Also, is it possible to get this gss_delegation_credential token only authenticating with SPNEGO, or would it be possible to get it also with other authentication mechanisms (e.g. x509 certificate, username and password)?
>
> Thanks,
> Paolo Tedesco
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list