Ricky's Hodgepodge

The last month I have been working in a enhancement to make SFU kerberos extensions in Java to work in multi-realm environments. The MS-SFU (Microsoft Service for User) are two kerberos extensions created by Microsoft to provide delegation and impersonation features to the kerberos standard. Delegation is managed by the S4U2proxy extension, a server can request a kerberos ticket on behalf of a user to access a subsequent server. For that with the server's own ticket and the user's ticket the server requests to the KDC (Kerberos Domain Controller) another ticket to connect to a backend server. The ticket is issued and the access to the backend server is performed as it was done by the initial user that connected to the intermediate server. The impersonation moves delegation one step forward, performed by the S4U2self extension, the frontend server in this case is a legacy server (as Microsoft calls it) which does not support kerberos, therefore there is no ticket for the user (the final user logged in using another method, for example common username and password), and this intermediate server performs a full impersonation with its own ticket to access the final backend on behalf of the user. Obviously this features should be configured, the frontend server should be granted with rights to do both operations, and Microsoft currently gives several ways of granting those privileges.

In general the SFU extensions are old and supported by Java since Java 8 but with windows 2012R2 Microsoft added support to cross-realm access. Previously the three roles (final user, frontend server and backend server) should be in the same realm/domain but a new concept, called resource-based constrained delegation, was incorporated to expanse SFU for multi-realm. The JDK never supported the new feature as stated in this JDK bug.

In theory the documentation for MS-SFU is available in the first link at the beginning of this entry but, in my humble opinion, the explanation of how to call both extensions leaves much to be desired. To my surprise, after a lot of tests and tries, when my two demos (delegation and impersonation) started to work, the procedure was not so difficult as it seems to be. Therefore I decided to write how cross-realm for SFU works for me in windows, in an easier way than official documentation.

• S4U2self:

  In the self (impersonation) extension the idea is simple, there are two roles, the user to impersonate and the server that impersonates. First the server should know in which realm the user is located (that part is out of the scope of this explanation). Once you know the realm where the user resides, you get a TGT (ticket) to that realm and perform a S4U2self against the KDC of the user's realm. The KDC returns a proper ticket with the information for that user (PAC extensions with roles and everything is included in the credentials) because, in the end, this is the KDC for the user, the one that knows the account information. After that, the ticket received is updated back to the server realm and a final S4U2self is executed against the local realm. This time the user information is there and the impersonation in the local realm can be completed. So, in summary, two S4U2self calls are needed, first in the user's realm (this one obtains the user information) and then another one in the server's realm. Moving from one realm to another requires to obtain TGTs and jumping from realm to realm following authentication paths (capaths).

  

• S4U2proxy:

  In the proxy call (delegation) the idea is similar, but not the same, because now we have a third role, the backend service we are delegating the user to, and two tickets, the user's ticket and our own server's ticket. In this case I finally made it work doing the following steps. First a S4U2proxy is executed against the local server realm, this way we obtain the user's service ticket we can move to the backend's realm. Then both credentials can be moved realm by realm until we reach where the backend server is located. We have to move both tickets (user's and server's service ticket). There a new S4U2proxy is executed that finally returns all the proper grants to call the backend server.

  

For a complete view, the needed configuration to the involved accounts should be described. In this case we need to setup the resource-based constraints delegation using power-shell commands. For the delegation/S4U2proxy the frontend account should be obtained from the domain and assigned as a valid user to be delegated to the backend server (in this example the accounts are called frontend and backend respectively):

$frontend = Get-ADUser -Identity frontend -server FRONTEND.DOMAIN.COM
Set-ADUser -Identity backend -server BACKEND.DOMAIN.COM -PrincipalsAllowedToDelegateToAccount $frontend
Get-ADUser -Identity backend -server BACKEND.DOMAIN.COM -Properties PrincipalsAllowedToDelegateToAccount

The commands use the server option to read the accounts from the needed realm, this way the accounts can be in different AD domains.

In order to perform impersonation the frontend user should be allowed to do so:

Set-ADAccountControl $frontend -TrustedToAuthForDelegation $true

This sets up the delegation for any authenticated protocol in the frontend user, the associated user in AD presents the following configuration.

It seems that S4U2proxy uses the PrincipalsAllowedToDelegateToAccount, users from different domains can be configured as allowed to delegate to the backend account. But in the case of S4U2self the user should have the account control that allows the account to impersonate, TrustedToAuthForDelegation (which is shown as use any authenticated protocol in the user delegation tab).

And that is all. Today's entry is just the explanation of how I think SFU extensions work when different realms are involved. We are trying to add cross-realm to SFU and support for resource-based constraint delegations inside the JDK implementation, my demos are working now but I suppose the process is going to be long so I prefer to, for the moment, not anticipate any event in the blog. I will add more details if I see something moves forward.

Best regards!

Today's entry presents a keycloak integration for an android application. Keycloak is an open-source project that offers Single Sign-On and access management for modern applications and services, and it has been used before in the blog. It is based on standards (like OpenID Connect and SAML) and provides some adapters for different programming languages and application platforms. Previously any integration between a mobile application and keycloak used an embedded browser to perform the login, but now that solution is a no-go. Google started to avoid this technique and recommend custom URLs long time ago. I have almost zero experience in mobile development (sorry for that) but I wanted to test this solution by myself anyway.

The idea is simple, as a mobile program is a client-side application I decided to use a public profile (similar situation to the one in browser-side JavaScript). I think that having a password in the client is almost the same than using none, it gives no extra security. The application is going to be a java one (it is just a PoC, so using kotlin was an extra effort for me).

First creating the public keycloak client for the application is needed. The application will use a weird URL keycloak://keycloaksample/.

Starting with the android application, the custom URL should be defined in the AndroidManifest.xml, in my case for the .MainActivity.

<activity android:name=".MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.LAUNCHER" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="keycloak"
            android:host="keycloaksample"
            android:pathPrefix="/"/>
    </intent-filter>
</activity>

With this configuration the .MainActivity will be called when the browser receives the keycloak://keycloaksample/ URL from the SSO server. That feature will be used to use the external browser to do the login and the logout. So a button will initiate the browser which will go to the authentication URL.

    public void login(View view) {
        // "http://192.168.100.1:8080/auth/realms/master/protocol/openid-connect/auth?client_id=KeycloakSample&scope=openid&response_type=code&redirect_uri=app%3A%2F%2Fkeycloaksample%2F";
        Uri uri = new Uri.Builder().scheme(configuration.getProperty("keycloak.scheme"))
                .encodedAuthority(configuration.getProperty("keycloak.authority"))
                .appendEncodedPath("auth/realms")
                .appendPath(configuration.getProperty("keycloak.realm"))
                .appendEncodedPath("protocol/openid-connect/auth")
                .appendQueryParameter("client_id", getString(R.string.app_name))
                .appendQueryParameter("scope", "openid")
                .appendQueryParameter("response_type", "code")
                .appendQueryParameter("redirect_uri", configuration.getProperty("app.url"))
                .build();
        Intent intent = new Intent(Intent.ACTION_VIEW, uri);
        startActivity(intent);
    }

If you see, the URL is created with the application URL as the redirect_uri. The idea is the login button starts the default browser with the keycloak authentication URL (android starts the app associated to an http(s) scheme), the user performs the login with it, and after that the server redirects the browser to the application URL, which starts the activity inside our app.

Now it's the time to follow the OIDC specification an get the code returned from the server and, with it, obtain the access and refresh token. In the onCreate of the activity a LoginTask starts a thread that executes the call to the token endpoint.

    if (Intent.ACTION_VIEW.equals(intent.getAction())) {
            // check if we have to login
            Uri uri = intent.getData();
            if (uri != null) {
                String code = uri.getQueryParameter("code");
                if (code != null) {
                    new LoginTask(this,
                            new Callback() {
                                @Override
                                public void onPostExecute(MainActivity activity, TokenResponse tokenResponse) {
                                    activity.setToken(tokenResponse);
                                }
                            }
                    ).execute(code);
                }
            }
        }

The LoginTask performs the authorization_code call to convert the code into the real tokens (remember this is just plain OIDC standard).

    @Override
    protected TokenResponse doInBackground(String... strings) {
        HttpURLConnection conn = null;
        try {
            String code = strings[0];
            URL keycloak = activity.createTokenURL();
            String urlParameters = activity.createAuthorizationCodePostData(code);
            byte[] postData = urlParameters.getBytes(StandardCharsets.UTF_8);
            conn = (HttpURLConnection) keycloak.openConnection();
            conn.setDoOutput(true);
            conn.setInstanceFollowRedirects(false);
            conn.setRequestMethod("POST");
            conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            conn.setRequestProperty("charset", "utf-8");
            conn.setRequestProperty("Content-Length", Integer.toString(postData.length));
            conn.setUseCaches(false);
            try (DataOutputStream wr = new DataOutputStream(conn.getOutputStream())) {
                wr.write(postData);
            }
            if (conn.getResponseCode() == 200) {
                return new TokenResponse(conn.getInputStream(), activity.getSignatureKey());
            } else {
                return new TokenResponse(conn.getResponseCode() + ": " + conn.getResponseMessage());
            }
        } catch (IOException|InvalidKeySpecException|NoSuchAlgorithmException e) {
            Log.d(TAG, "Error calling keycloak", e);
            return new TokenResponse(e.getMessage());
        } finally {
            if (conn != null) {
                conn.disconnect();
            }
        }
    }

The createTokenURL and createAuthorizationCodePostData methods assign the URL and the post data that will be sent to the server to obtain the tokens.

    public URL createTokenURL() throws MalformedURLException {
        // "http://192.168.100.1:8080/auth/realms/master/protocol/openid-connect/token"
        return new URL(new Uri.Builder().scheme(configuration.getProperty("keycloak.scheme"))
                .encodedAuthority(configuration.getProperty("keycloak.authority"))
                .appendEncodedPath("auth/realms")
                .appendPath(configuration.getProperty("keycloak.realm"))
                .appendEncodedPath("protocol/openid-connect/token")
                .build().toString());
    }

    public String createAuthorizationCodePostData(String code) {
        // "grant_type=authorization_code&client_id=KeycloakSample&redirect_uri=app%3A%2F%2Fkeycloaksample%2F&code=" + code
        return new Uri.Builder()
                .appendQueryParameter("grant_type", "authorization_code")
                .appendQueryParameter("client_id", getString(R.string.app_name))
                .appendQueryParameter("redirect_uri", configuration.getProperty("app.url"))
                .appendQueryParameter("code", code)
                .build().getEncodedQuery();
    }

And finally, with the JSON data returned by the server, a TokenResponse object is created. For that I used the jjwt project which can parse the different JWT tokens returned by the server. This way the application can obtain the token information and present the user info.

    public TokenResponse(InputStream is, Key key) throws IOException {
        this.creationTime = System.currentTimeMillis() / 1000L;
        this.key = key;
        JsonReader jsonReader = new JsonReader(new InputStreamReader(is, "UTF-8"));
        jsonReader.beginObject();
        while(jsonReader.hasNext()) {
            String name = jsonReader.nextName();
            switch (name) {
                case "expires_in":
                    this.setExpiresIn(jsonReader.nextInt());
                    break;
                case "refresh_expires_in":
                    this.setRefreshExpiresIn(jsonReader.nextInt());
                    break;
                case "access_token":
                    this.setAccessToken(jsonReader.nextString());
                    break;
                case "refresh_token":
                    this.setRefreshToken(jsonReader.nextString());
                    break;
                default:
                    jsonReader.skipValue();
            }
        }
    }

    public Jws getAccessTokenClaims() {
        return accessTokenClaims;
    }

    public String getAccessToken() {
        return accessToken;
    }

    public void setAccessToken(String accessToken) {
        this.accessToken = accessToken;
        this.accessTokenClaims = Jwts.parser()
                .setSigningKey(this.key)
                .parseClaimsJws(accessToken);
    }

To fully understand the code presented, the properties file used in the app is the following (information about keycloak: url, realm key,...).

keycloak.key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8...
keycloak.scheme=http
keycloak.authority=192.168.100.1:8080
keycloak.realm=master
app.url=keycloak://keycloaksample/

Mainly this is the idea about the custom URL technique, android can associate a weird URL with the application and normal browser login is used to perform the SSO login. After that the OIDC calls are used to get the tokens and use them. My application also exemplifies how to do the logout, refresh the token and call another web service (userinfo) using the access token. But that is just development that uses the TokenResponse object initially created in the login.

Here I present a video, first I log into the application, thanks to custom URLs the browser is used to do that. Then the token information is shown and it is used to call the OIDC userinfo endpoint (information of the user). As you see the SSO is in place and I can reach the keycloak console without login again. Then I wait the access token to expire (60 seconds) and I refresh it (refresh_token action in the OIDC token endpoint). Finally I perform the logout which is a global logout too.

Your browser doesn't support the video tag. See this entry for more information about how to see the videos in this blog. You can download the file instead.

And that is all. I wanted to test the custom URL technique in an mobile application and I decided to use android (iOS is a complete unknown for me, but I suppose the same idea can be used for that platform). The application is very simple and just uses the jjwt project out of the default android API. This is just a PoC so it can be extended and/or improved a lot (for example not using fixed URLs and keys, calling the well-known OIDC address and the JWKs certificate endpoints is a better solution). Please also take in mind that I never develop for mobile, so just use the app as an example, surely things can be done much better. The KeycloakSample application can be download from here, hope it helps to someone else.

Regards!

A quick entry this time. Some days ago I needed to use the javascript engine in Java (javascript in Java is integrated inside the Scripting API). I realized that the new nashorn engine always compiles the code and, although it is much faster and modern than the older one (rhino was used in previous java 7), in some corner cases it can be worse. Normally in cases where a lot of different javascript chunks are evaluated. The rhino implementation interprets the code and just optimizes the hot parts while nashorn always compiles the code into classes and, therefore, if the piece of javascript is just run a few times the compiling part is a drawback. Bug JDK-8034959 manages this same subject.

In theory the old rhino implementation can be added to the Scripting API. But the problem is that now all java.dev.net is decommissioned and finding the sources is complicated currently. The following steps are needed now.

1. Download last rhino library 1.7R4. This provides the js.jar library.

2. Now we have to find the rhino implementation for JSR-223 (Scripting API), and I finally found a github clone, and I could compile it.

   
   git clone https://github.com/scijava/javax-scripting
   cd javax-scripting/engines/javascript/lib/
   cp ${RHINO_HOME}/rhino1_7R4/js.jar .  # downloaded in step 1
   cd ../make/
   ant clean all
   

   A library js-engine.jar is generated inside the build directory.

3. This little program is used to test. As you see I have to use the rhino engine name (because nashorn is also there).

   
   import javax.script.ScriptEngine;
   import javax.script.ScriptEngineManager;
   import javax.script.ScriptException;
     
   public class HelloWorld {
       public static void main(String[] args) throws ScriptException {
           ScriptEngine engine = new ScriptEngineManager().getEngineByName("rhino");
           System.out.println(engine.getClass());
           engine.eval("print('Hello World!');");
       }
   }
   

4. With both libraries the simple javascript can be compiled and executed.

   
   java -cp js.jar:js-engine.jar:. HelloWorld
   class com.sun.phobos.script.javascript.RhinoScriptEngine
   Hello World!
   

   To completely remove the nashorn engine in JDK 8 it is necessary to remove the library from the JVM. The library is placed in ${JAVA_HOME}/jre/lib/ext/nashorn.jar (it is placed in the ext folder, and all the libraries in that folder are automatically available for the JDK, this way nashorn is always loaded if not deleted). Once it is removed only the rhino engine is available for names like js or JavaScript or mime types like application/javascript.

But, remember this is the last resort. The new nashorn engine is much faster and modern. The js snippets are cached to avoid re-compilation so it's only a problem if the code is really very dynamic (I suppose that you can also maintain the same engine, taking care of the javascript, global vars and global execution). Just to compare both engines I tried with the google octane benchmark (I used this files working a bit over the run-octane.js JDK script). The results are the following for both engines in my laptop.

So it's clear that nashorn is much better, faster and it can execute the whole benchmark (rhino fails in some tests). If you see there are several tests in which the old engine is better during the warmup, but all tests except code-load are faster when executed by nashorn in average and maximum (and code-load can be related to compilation in the end, because I think that it is a test about loading code).

Scripted regards!