This documentation is in progress and includes all updates released after Identity Server 5.4.1. For documentation specific to a version, see About This Release.
Kerberos Grant - WSO2 Identity Server 5.x.x - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

Kerberos is a security protocol that has support built into various operating systems and open-source distributions (e.g.,  Ubuntu, Windows, RedHat, Open Solaris, etc). Additionally, a majority of browsers support some Kerberos functions as well. As WSO2 Identity Server (WSO2 IS) uses the OAuth 2.0 protocol, the Kerberos-OAuth2 grant type allows organizations to exchange a Kerberos ticket for an OAuth 2.0 token. This allows organizations to re-use their existing Kerberos infrastructure and adopt OAuth 2.0. 

Kerberos-OAuth2 grant flow

The following section describes the flow involved in exchanging a Kerberos ticket for an OAuth2 token.

  1. The Kerberos client requests the Kerberos Service Ticket from the Kerberos Key Distribution Center (KDC) to invoke the service.
    The Kerberos Key Distribution Center can be any Kerberos Server.
  2. The Kerberos Key Distribution Center sends a response with the Kerberos Service Ticket.
    If the client and the requested service is valid, the Key Distribution Center (KDC) sends a Kerberos ticket encrypted with the service owners private key. The API handles the exchanging of the Ticket Granting Ticket (TGT), Service Granting Ticket (SGT), and all other low level Kerberos details.
  3. The Kerberos client requests the OAuth2 token.
    The message format of the OAuth2 token request should be as follows:

    You can use one of the following two cURL commands to request for the OAuth2 token.

    curl -v -X POST -H "Authorization: Basic <base64 encoded client id:client secret value>" -k -d "grant_type=kerberos&kerberos_realm=<kerberos realm>&kerberos_token=<kerberos token>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
    curl -u <client id>:<client secret> -k -d "grant_type=kerberos&kerberos_realm=<kerberos realm>&kerberos_token=<kerberos token>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
    POST /oauth2/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic MW91TDJmTzZTeGxmRDJMRHcxMjVjVG8wdlFrYTp1VUV0bTg5dFk2UVp1WlVtcVpmTDkyQkRGZUFh
  4. The Kerberos client receives the OAuth2 token.
    The Kerberos Grant validates the received token with the provided Identity Provider (IDP) credentials and if it is a valid token, it issues an OAuth2 token to the client.


Configuring Kerberos Grant with Identity Server

Follow the instructions below to configure Kerberos Grant with WSO2 IS:

  1. Download the Keberos-grant JAR (kerberos-grant-1.0.0.jar).

  2. Copy the JAR into the <IS_HOME>/repository/components/lib directory.

  3. Add following entry under <SupportedGrantTypes> in the <IS_HOME>/repository/conf/identity/identity.xml file.

  4. Configure OAuth2 with IWA as an allowed grant type.

    1. Sign in to the WSO2 IS Management Console.
    2. Navigate to the Main menu, click Add under the Service Providers menu.
    3. Add a new Service Provider and configure OAuth2 for your client application with kerberos as an allowed grant type. 

       Click for instructions to configure OAuth2

      To enable OAuth support for your client application, you must first register your application. Follow the instructions below to add a new OAuth2 application.

      1. Expand the OAuth/OpenID Connect Configuration and click Configure.
      2. Fill in the form that appears. For the Allowed Grant Types you can disable the ones you do not require or wish to block.
        Select the kerberos grant type as an allowed grant type.

      3. Click Add. The following information is added to your service provider.

        • OAuth Client Key - This is the client key of the service provider, which will be checked for authentication by the Identity Server before providing the access token.
        • OAuth Client Secret - This is the client secret of the service provider, which will be checked for authentication by the Identity Server before providing the access token. Click the Show button to view the exact value of this.
        • Actions - 
          • Edit: Click to edit the OAuth/OpenID Connect Configurations

          • Revoke: Click to revoke (deactivate) the OAuth application. This action revokes all tokens issued for this application. In order to activate the application, you have to regenerate the consumer secret. 

          • Regenerate Secret: Click to regenerate the secret key of the OAuth application. 

          • Delete: Click to delete the OAuth/OpenID Connect Configurations.

  5. Configure the Service Principal Name (SPNName) and Service Principal Password (SPNPassword).

    1. Navigate to the Main menu, click Add under the Identity Providers menu.

    2. Add a new Identity Provider (IDP). Enter the basic information as follows. 

      The IDP name should be the name of the realm as specified in the token request in step 3. Based on this example, it should be

    3. Expand the Federated Authenticators tab, and then the IWA Kerberos Configuration tab. Enter the required details as follows.
  6. Invoke the token endpoint using the message format discussed in step 3.

  • No labels