Keycloak as a Kerberos proxy, instead of forwarder, with gss_delegation_credential appended to JWT

My colleague Connor created a github discussion to which no one has responded: Keycloak as a Kerberos proxy, instead of forwarder, with gss_delegation_credential appended to JWT · Discussion #8874 · keycloak/keycloak · GitHub

Does anyone here have any thoughts on the matter?

I will reproduce the text here so people don’t need to click:
"Hello Keycloak Community!

I’ve been supporting a Kerberos-integrated Keycloak use case recently, and I’d like to ask if the premise of the PR we’d like to submit is secure before submitting it. Some background on where we are at: I can use my Kerberos ticket on my browser to log in, and can also, using a forwardable ticket, obtain a JWT with curl, for example:

curl -k --negotiate --delegation policy -u : --location --request POST 'https://keycloak.ipa.test/auth/realms/Test/protocol/openid-connect/token' --data-urlencode 'client_id=grafana.ipa.test' --data-urlencode 'client_secret=my-secret-token' -d 'grant_type=password' -d 'scope=openid profile email' -vvvv

This gives me gss_delegation_credential in my JWT as I expect. In this case, I’m trying to access an OIDC-integrated grafana instance, and I’ve got FreeIPA doing Kerberos and LDAP. Everything here works.

The trouble we ran into was that we’d like some of our existing software that obtains JWTs from Keycloak through the Java API wasn’t integrated with Kerberos. So, for certain rigid deployments at customer sites, we need to provide that gss_delegation_credential to a service that expects GSSAPI. This software is not in a place where we can add Kerberos functionality quickly, so doing things like implementing a keytab and GSSAPI to imitate the success we’ve had with the above curl command is out of reach for us at the moment. What we’d like to do is ask Keycloak for a password-based grant, have that request get authenticated by Keycloak via Kerberos, and have Keycloak obtain and append the gss_delegation_credential to the JWT for us.

We have a PR that we’d like to submit, and we’ve tested that it achieves the objectives that we’ve set out to accomplish. However, I’d like to ask the community if this is, prima facie, a supportable flow in Keycloak, or if we’re violating some kind of Kerberos prime directive here :slight_smile: Also in the realm of possibilities is the idea that Keycloak supports this but we’re doing it wrong! What should our next steps be?

Can Keycloak provide gss_delegation_credential in the returned JWT on behalf of a successful password grant if integrated with Kerberos? If not, does the community believe this could be done securely? If so, do you want us to submit a PR of what we already have?