Kerberos
- Network authentication protocol
- Based on symmetric cryptography
- Not vulnerable to eavesdropping (passwords never go through network in plain-text)
- Current protocol version: 5
- Implementations: MIT Kerberos, Heimdal, Windows AD, ApacheDS
- Kerberos data often backed by LDAP - MS AD, FreeIPA, ApacheDS
- Principals
- User principals: john@KEYCLOAK.ORG
- Service principals: HTTP/www.keycloak.org@KEYCLOAK.ORG, ldap/www.keycloak.org@KEYCLOAK.ORG
Typical flow
- User authenticates to his desktop and obtains TGT
- TGT used to get service ticket
- Service ticket used to authenticate against the service
- Service needs to prove his identity by "keytab"
SPNEGO
- Implemented by Microsoft (mechanism to select real authentication mechanism)
- Practically wrapper around Kerberos
- Supported in web browsers (Authorization: Negotiate)
GSSAPI
- Standard API used in programming languages to suppress differences between authentication mechanisms
- Client calls "initSecContext"
- Server calls "acceptSecContext"
- JDK has support for Kerberos and SPNEGO
Keycloak
- Federation providers
- Decouple authentication and federation in the future? PLuggable authentication?
Credential delegation
- Service forwards underlying ticket to other service
- authenticates on behalf of user