This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Kerberos Grant
Kerberos is a security protocol that has support built into various operating systems and open-source distributions (e.g., Ā Ubuntu, Windows, RedHat, Open Solaris, etc). Additionally, a majority of browsers support some Kerberos functions as well. As WSO2 Identity Server (WSO2 IS)Ā uses the OAuth 2.0 protocol, the Kerberos-OAuth2 grant type allows organizations to exchange a Kerberos ticket for an OAuth 2.0 token. This allows organizations to re-use their existing Kerberos infrastructure and adopt OAuth 2.0.Ā
Kerberos-OAuth2 grant flow
The following section describes the flow involved in exchanging a Kerberos ticket for an OAuth2 token.
- The Kerberos client requests the Kerberos Service Ticket from the Kerberos Key Distribution Center (KDC) toĀ invoke the service.
TheĀ Kerberos Key Distribution Center can be anyĀ Kerberos Server. - The Kerberos Key Distribution Center sends a response with the Kerberos Service Ticket.
If the client and the requested service is valid, the Key Distribution Center (KDC) sends a Kerberos ticket encrypted with the service owners private key. The API handles the exchanging of the Ticket Granting Ticket (TGT), Service Granting Ticket (SGT), and all other low level Kerberos details. The Kerberos client requests the OAuth2 token.
The message format of theĀ OAuth2 token requestĀ should be as follows:The Kerberos client receives the OAuth2 token.
The Kerberos Grant validates the received token with the provided Identity Provider (IDP) credentials and if it is a valid token, it issues an OAuth2 token to the client.Example{ "access_token":"636ce45f-c7f6-3a95-907f-d1f8aca28403", "refresh_token":"831271d9-16ba-3bad-af18-b9f6592a8677", "scope":"my_scope", "token_type":"Bearer", "expires_in":521 }
ConfiguringĀ Kerberos Grant with Identity Server
Follow the instructions below to configureĀ Kerberos Grant with WSO2 IS:
Download theĀ
Keberos-grant
Ā JAR (kerberos-grant-1.0.0.jar
).Copy the JAR into theĀ
<IS_HOME>/repository/components/lib
Ā directory.Add following entry underĀ
<SupportedGrantTypes>
Ā in theĀ<IS_HOME>/repository/conf/identity/identity.xml
Ā file.<SupportedGrantType> <GrantTypeName>kerberos</GrantTypeName> <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.kerberos.KerberosGrant</GrantTypeHandlerImplClass> <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.kerberos.KerberosGrantValidator</GrantTypeValidatorImplClass> </SupportedGrantType>
Configure OAuth2 with IWA as an allowed grant type.
- Sign in to the WSO2 IS Management Console.
https://<Server-Host>:9443/carbon
- Navigate to theĀ MainĀ menu, clickĀ AddĀ under theĀ Service ProvidersĀ menu.
Add a new Service Provider and configure OAuth2 for your client application with kerberos as an allowed grant type.Ā
- Sign in to the WSO2 IS Management Console.
Configure the Service Principal Name (
SPNName)
Ā and Service Principal PasswordĀ (SPNPassword)
.Navigate to theĀ MainĀ menu, clickĀ AddĀ under theĀ Identity ProvidersĀ menu.
Add a new Identity Provider (IDP). Enter the basic information as follows.Ā
The IDP name should be the name of the realm as specified in the token request in step 3. Based on this example, it should be
example.com
.Identity Provider Name: example.com
- Alias:Ā https://192.168.53.12:9443/oauth/token
- Expand theĀ Federated AuthenticatorsĀ tab, and then theĀ IWA Kerberos ConfigurationĀ tab. Enter the required details as follows.
- Server Principal Name:Ā HTTP/idp.example.com@EXAMPLE.COM
- Server Principal Password:Ā <password>Ā
Invoke the token endpoint using the message format discussed inĀ step 3.