Skip to content

Configure Kerberos Grant

This page guides you through the flow involved in exchanging a Kerberos ticket for an OAuth2 token. To learn more, see Kerberos grant.


Enable kerberos grant

  1. Download the kerberos grant.jar file.

  2. Copy the JAR into the <IS_HOME>/repository/components/lib directory.

  3. Add the following entry to the <IS_HOME>/repository/conf/deployment.toml file.

    [oauth.grant_type.kerberos]
    enable = true

Create a service provider

To register your application as a service provider in the MWARE IAM:

  1. Log in to the MWARE IAM Management Console using administrator credentials.

  2. Go to Main > Identity > Service Providers > Add.

  3. Enter a Service Provider Name. Optionally, enter a Description.

  4. Click Register.

  5. Expand Inbound Authentication Configuration and then OAuth/OpenID Connect Configuration.

  6. Click Configure.

  7. Select Kerberos from the Allowed Grant Types list.

  8. Enter the Callback Url.

    Tip

    For more information on the Callback Url field and other advanced configurations, see Advanced OpenID Connect Configurations.

  9. Click Add.

    Note that the OAuth Client Key and Client Secret are generated. You will need these values later on when sending the request to the authorization endpoint.

  10. Click Register.


Register an identity provider

  1. Log in to the Management Console(https://<IS_HOST>:<PORT>/carbon) using administrator credentials (admin:admin).

  2. On Main tab Click Identity > Identity Providers > Add.

    add-identity-provider

  3. Add a new Identity Provider (IdP). Enter the basic information as follows.

    Note

    The IDP name should be the name of the realm as specified in step 3 of Generate the kerberos token. Based on this example, it should be example.com.

    add-new-idp-kerberos

  4. Expand the Federated Authenticators tab, and then the IWA Kerberos Configuration tab. Enter the required details as follows.

  5. Click Register.


Generate the kerberos token

  1. Git clone the KerbClientProject.

    git clone https://github.com/erandacr/KerbClientProject
  2. Run KerbClient.cs using an IDE.

    Tip

    You can run it using Visual Studio by downloading and installing the following libraries and programs.

    Note that you can also use any other IDE to run this project.

  3. Configure the following parameters in the project according to your setup.

    // Service Name goes here
    static string serviceName = "HTTP/apimserver.example.com@EXAMPLE.COM";
    // Token endpoint URL
    static string URI = "https://idp.example.com:9443/oauth2/token";
    // Client ID
    static string username = "1ouL2fO6SxlfD2LDw125cTo0vQka";
    // Client Secret
    static string password = "uUEtm89tY6QZuZUmqZfL92BDFeAa";
    // Kerberos realm name
    static string realm_Name = "example.com";
  4. Run the project by selecting the Start without Debugging option on the Visual Studio editor.

    This project generates a Kerberos ticket and a kerberos token is generated using the ticket. The generated token can be used to get the OAuth token.


Invoke the token endpoint

Use one of the following curl commands to request for the OAuth token using the kerberos token.

Request 1

curl -v -X POST -H "Authorization: Basic <base64 encoded client id:client secret value>" -k -d "grant_type=kerberos&kerberos_realm=<kerberos realm>&kerberos_token=<kerberos token>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token


Request 2

curl -u <client id>:<client secret> -k -d "grant_type=kerberos&kerberos_realm=<kerberos realm>&kerberos_token=<kerberos token>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

You will receive the following response.

POST /oauth2/token HTTP/1.1
Host: idp.example.com:9443
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MW91TDJmTzZTeGxmRDJMRHcxMjVjVG8wdlFrYTp1VUV0bTg5dFk2UVp1WlVtcVpmTDkyQkRGZUFh
grant_type=kerberos&kerberos_realm=example.com&kerberos_token=YII1…

The Kerberos client receives the OAuth2 token.

The Kerberos Grant then validates the received token with the provided Identity Provider (IdP) credentials and if it is a valid token, it issues an OAuth2 token to the client.

Example

{
    "access_token":"636ce45f-c7f6-3a95-907f-d1f8aca28403",
    "refresh_token":"831271d9-16ba-3bad-af18-b9f6592a8677",
    "scope":"my_scope",
    "token_type":"Bearer",
    "expires_in":521
}

Related topics

Top