New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include groups in ClaimsPrincipal when using Negotiate on Linux #12938
Comments
Beware cookie bloat. |
You'll note that Steve's implementation only translates the well known group names. It doesn't cope with user defined groups, so it's quite limited. The Windows one contains SIDs and there's special magic in IsInRole that goes off to the AD and asks the AD for the SID. That wasn't a goal for this implementation, but may come later. |
This is kerberos, there is no cookie. There is however a cost to looking up this information on every request. |
On linux we depend on GSS API to handle the Kerberos handshake for us. We'd either have to find a way to get the groups through GSS (which would be done in corefx), or get them ourselves out of band (LDAP). |
Backlog it is then for now |
Oh yea, good point. In IS we take the result of kerb and put into a cookie to abstract the authentication method. |
I hope you let people filter/transform at that point? |
We do have a flag to opt-in. But it's also quickstart code, so it's their code once they copy it. Much like templates, I guess, in VS :) |
Minor clarification here... all group information is present in the Kerberos ticket PAC. What's present however is SID information, not group name information. So you will be able to do proper ACL checks (because you're checking against the SID and not the mutable name, right? Right??), but you're not going to get friendly names. That's the point of the out of band LDAP call to AD. GSS may expose an ability to read group information, but it's somewhat dependent on the underlying implementation's ability to read the PAC which is hit or miss. |
@SteveSyfuhs out of curiosity, would this sort of thing work on the linux distros you've been targeting? |
@brockallen That is calling squarely into LSA-specific API's: https://github.com/dotnet/corefx/blob/d3911035f2ba3eb5c44310342cc1d654e42aa316/src/System.Security.Principal.Windows/src/System/Security/Principal/NTAccount.cs#L281-L334 The basic logic would have to be
|
We've just started on built in Linux LDAP support for 5.0, we don't have any first party support for 3.1. I haven't researched 3rd party options but I'm curious if anyone else has suggestions here. |
@Tratcher i was wondering, what ldap library will be used? System.directory is not supposed under linux |
|
Describe the solution you'd like
When using Negotiate authentication on Windows, the created
WindowsPrincipal
automatically holds all the AD groups of the authenticated user as claims of typehttp://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
, which is also the value ofRoleClaimType
.It would be useful to have similar functionality on Linux, where the
ClaimsPrincipal
would hold the group IDs as claims of typehttp://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
.Additional context
All the claims should already be present in the Kerberos ticket and it should be possible to parse them out. I think it's already being done in SteveSyfuhs/Kerberos.NET. From a quick look, the KerberosAuthenticator.cs may be useful. That being said I'm not very familiar with the differences between the Steve's and AspNetCore's implementations.
The text was updated successfully, but these errors were encountered: