kerberos authentication in node

0
votes

I need my node server to authenticate a client (username / password provided in HTTPS request) and provide the user's role for authorization. I'm trying to find out how to retrieve the Kerberos token in node (using node-krb5 or passport-kerberos modules) in case of successful authentication.

My setup is pretty basic:

  1. Client app provides username/password to node server app
  2. Node authenticates the user with the provided credentials against Kerberos
  3. Kerberos provides a Auth token that node app will send to client
  4. Client sends the token with each request to node to avoid state management in node.
  5. Node app needs to know the user's role that's inside the ticket.

For steps #3 & #5, I'm looking for help in retrieving the kerberos token and reading its contents to extract the role information.

Any help is greatly appreciated.

I checked an earlier thread but that wasn't answered: Kerberos Authorization w/ Node.js

Thanks.

1
node.jsauthenticationauthorizationkerberos
Such topic is discussed here: stackoverflow.com/questions/20098912/…greenmarker
I had gone through that thread but it does not provide any help with my request - specifically, accessing the token and reading it in node. Hence, I had to post a new question, specifically pointing out (steps #3 and #5) where I need the help.Dhananjay

1 Answers

2
votes

Kerberos is an authentication protocol. Most implementations simply don't have any role data inside the kerberos ticket. Microsoft is the one exception I know of, they encode some group data inside an extension to the kerberos ticket.

However, unless you have a keytab on the server ( SPN in MS speak ) you will never be able to read the contents of a ticket. I don't know of any standard kerberos API's that provide access to this data. ( They may exist, I just don't know of them ).

The typical way that you would get role data for a user is to use the kerberos identity as a key to search an authorization service. The most commonly used one is LDAP. A typical application would make an LDAP query to get the users attributes and then use those to make role decisions. ( Or look to see if the user is a member in an specific group ).

Lastly, it's hard to tell from your description, but it really sounds like you not actually using kerberos in the way that it was intended. An application that is using kerberos as designed should never need the username/password combo.