Include groups in ClaimsPrincipal when using Negotiate on Linux

[valorl]

Describe the solution you'd like

When using Negotiate authentication on Windows, the created WindowsPrincipal automatically holds all the AD groups of the authenticated user as claims of type http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid, which is also the value of RoleClaimType.

It would be useful to have similar functionality on Linux, where the ClaimsPrincipal would hold the group IDs as claims of type http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid.

Additional context

All the claims should already be present in the Kerberos ticket and it should be possible to parse them out. I think it's already being done in SteveSyfuhs/Kerberos.NET. From a quick look, the KerberosAuthenticator.cs may be useful. That being said I'm not very familiar with the differences between the Steve's and AspNetCore's implementations.

[brockallen]

Beware cookie bloat.

[blowdart]

@Tratcher

[blowdart]

You'll note that Steve's implementation only translates the well known group names. It doesn't cope with user defined groups, so it's quite limited. The Windows one contains SIDs and there's special magic in IsInRole that goes off to the AD and asks the AD for the SID. That wasn't a goal for this implementation, but may come later.

[Tratcher]

Beware cookie bloat.

This is kerberos, there is no cookie. There is however a cost to looking up this information on every request.

[Tratcher]

On linux we depend on GSS API to handle the Kerberos handshake for us. We'd either have to find a way to get the groups through GSS (which would be done in corefx), or get them ourselves out of band (LDAP).

[blowdart]

Backlog it is then for now

[brockallen]

This is kerberos, there is no cookie.

Oh yea, good point. In IS we take the result of kerb and put into a cookie to abstract the authentication method.

[Tratcher]

This is kerberos, there is no cookie.

Oh yea, good point. In IS we take the result of kerb and put into a cookie to abstract the authentication method.

I hope you let people filter/transform at that point?

[brockallen]

I hope you let people filter/transform at that point?

We do have a flag to opt-in. But it's also quickstart code, so it's their code once they copy it. Much like templates, I guess, in VS :)

[SteveSyfuhs]

Minor clarification here... all group information is present in the Kerberos ticket PAC. What's present however is SID information, not group name information. So you will be able to do proper ACL checks (because you're checking against the SID and not the mutable name, right? Right??), but you're not going to get friendly names. That's the point of the out of band LDAP call to AD. GSS may expose an ability to read group information, but it's somewhat dependent on the underlying implementation's ability to read the PAC which is hit or miss.

[brockallen]

@SteveSyfuhs out of curiosity, would this sort of thing work on the linux distros you've been targeting?

https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/host/Quickstart/Account/ExternalController.cs#L174-L175

[SteveSyfuhs]

@brockallen That is calling squarely into LSA-specific API's: https://github.com/dotnet/corefx/blob/d3911035f2ba3eb5c44310342cc1d654e42aa316/src/System.Security.Principal.Windows/src/System/Security/Principal/NTAccount.cs#L281-L334

The basic logic would have to be

foreach(uniqueDomains in PAC) 
{
// resolve domain by sid prefix

foreach (sid in domainGroupSids) 
{
// connect to that domain
// query ldap and find the group with that sid
// return the group name
}
}

[scholtz]

Hi, do you have any best practicies how to load groups in .net3 web app in linux docker container authorized by negotiate protocol? #19397
Is the LDAP only way? I believe someone has already coded this, so is there some recommendation or everyone should code it by themselfs? fe google

[Tratcher]

We've just started on built in Linux LDAP support for 5.0, we don't have any first party support for 3.1. I haven't researched 3rd party options but I'm curious if anyone else has suggestions here.

[Naihan]

@Tratcher i was wondering, what ldap library will be used? System.directory is not supposed under linux

[Tratcher]

@Tratcher i was wondering, what ldap library will be used? System.directory is not supposed under linux

See dotnet/runtime#23944