2

I would like to build a Web API in Python that uses OAuth2 and will eventually use Kerberos protected resources in the backend. Specifically, I would like to have a Web API that uses OAuth2 to authenticate user and then switch them to a Kerberos context for the duration of the request. (I am not too familiar with Kerberos which may be apparent.) Many users with different credentials will be using the same API. It should be noted this will be done in a Linux environment with some implementation of Kerberos. I want to use OAuth2 from authorization because it will be easier for developers to use API.

How can I delegate or impersonate a Kerberbos user that was authenticated using OAuth2? I am aware I can make any necessary information available to the Web API in the OAuth2 authentication token(jwt). Furthermore, I could have OAuth2 server have a token introspection method that would allow me to obtain any info needed to make the impersonation.

wwaldner
  • 73
  • 1
  • 4
  • 2
    Search "kerberos protocol transition" and "s4u2proxy". Basically in your KDC you grant a specific service principal the right to request service tickets on behalf of other users. There are two modes: 1) constrained delegation where you must present an evidence ticket from the user (can't really do that with OAuth easily), and 2) protocol transition the service principal doesn't need any evidence ticket and the KDC assumes the service has already authenticated the caller. – Steve Aug 08 '20 at 21:14
  • 1
    In addition to Steve's comment - In case Protocol Transition is not supported(many customers are reluctant to this as it has its own risks) - Your OAuth handler can be customized such as - just after user authorization, but before redirection to the client app, you can negotiate with browser and take user's kerberos ticket for you application service. Then as Steve mentioned, this ticket can be used with Constrained Delegation(Kerberos Only flag set at AD). – Bhushan Karmarkar Aug 13 '20 at 11:46

0 Answers0