A stand-alone app that enables Android apps such as Google Chrome to obtain the necessary credentials for accessing web services that require Kerberos SPNEGO authentication.
This is not an officially supported Google product. It is provided as a reference implementation of a Kerberos authentication solution on Android. This app can only be configured in conjuction with managed configurations.
The code in this package is an Android app that uses the OpenJDK Kerberos library to provide SPNEGO authentication for Chrome.
A .apk file suitable to be used for Kerberos authentication can be built using Bazel and then installed on an Android device.
The pre-compiled app from this repository is available for download at https://android-kerberos-authenticator.appspot.com. In order to use this app, you need to provide the following managed configurations:
You may also want to configure Chrome to allow it to talk to the Authenticator:
Upon obtaining a Ticket-Granting-Ticket for authentication, this will be stored securely in Account Manager and re-used whenever requested through Chrome authentication. If this ticket expires and a valid ticket is needed, it will automatically get renewed and stored again in the Account Manager. Some debug service ticket information will be stored securely in a file.
There is a public mailing list for discussing Kerberos authentication in Android in general, asking questions on the codebase or suggesting improvements: https://groups.google.com/forum/#!forum/android-kerberos-authenticator It is suggested to direct technical questions first to this group, and open a GitHub issue after there is agreement in the group that the issue is one that should be addressed in the codebase.
This section provides a method for building your own apk from the existing code that will be ready to be deployed. It does not cover custom development or specific integrated development environment setup.
We will walk you through the following steps:
Note: The examples below illustrating the applicationId update process are taken from an Ubuntu Linux desktop. Please consult the documentation for each tool used for instructions specific to your chosen operating system.
You will need to install a minimal set of development tools in order to get started
The Bazel website has an optional tutorial covering steps for building an Android app which might be useful: https://docs.bazel.build/versions/master/tutorial/android-app.html
Once all the above tools are installed, the ANDROID_HOME environment variable should be set to the path that the Android SDK is installed. Adjust for your installation if it is different:
export ANDROID_HOME=$HOME/Android/Sdk/Use the sdkmanager to download the Android platform. We’re using version 27:
$ANDROID_HOME/tools/bin/sdkmanager "platforms;android-27"We now need the source code. Use git to download the latest copy:
git clone https://github.com/google/android-kerberos-authenticator/Browse to the newly created directory called “kerberosauthenticator”. There are a few parameters that need to be set in the WORKSPACE file for the Bazel tool.
android_sdk_repository(
name = "androidsdk",
api_level = 27,
build_tools_version = "28.0.3.",
)You can get your current build tools number by using the sdkmanager command:
$ANDROID_HOME/tools/bin/sdkmanager --listWe are now ready to assign a new applicationId.
Open the authenticator BUILD file for editing . It should be located at
src/main/java/BUILD from the kerberosauthenticator directory. Look for the
section called android_library location and edit the applicationId value.
There are some limitations on the format of the applicationId. Best practices for choosing and setting one can be found here: https://developer.android.com/studio/build/application-id
Choose an id that is unique and descriptive. Once your version of the authenticator is published, you should not change the id again.
We are now ready to compile the authenticator with the updated applicationId. Browse to the kerberosauthenticator directory and run the bazel command:
bazel -c opt build //src/main/java:kerberosauthenticatorThe "-c opt" argument compiles a version with debugging information stripped out of the generated APK. If you would like to install on a connected device with debugging enabled or a virtual device, use this command instead:
bazel mobile-install //src/main/java:kerberosauthenticatorThe files generated by these commands are located in bazel-bin/src/main/java.
To verify the authenticity of the app, you can sign it with your own private key. Subsequent updates need to be signed with the same key. You can generate a private key with keytool:
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048
-validity 10000 -alias my-aliasThe example above prompts you for a keystore and key password, and for the "Distinguished Name" fields for your key. It then generates the keystore as a file called my-release-key.jks, saving it in the current directory. The keystore contains a single key that is valid for 10,000 days.
Signing the authenticator app requires zipalign and apksigner tools:
zipalign -v -p 4 ./bazel-bin/src/main/java/kerberosauthenticator_unsigned.apk
kerberosauthenticator_unsigned.apk-aligned.apkapksigner sign --ks my-release-key.jks --out kerberosauthenticator.apk
kerberosauthenticator_unsigned.apk-aligned.apkzipalign ensures that all uncompressed data starts with a particular byte alignment relative to the start of the file, which may reduce the amount of RAM consumed by the app.
This example generates a signed APK called kerberosauthenticator.apk after signing it with a private key and certificate that are stored in a single KeyStore file: my-release-key.jks.
Details and instructions for building and signing apps can be found here: Build your app from the command line.
The CONTRIBUTING.md file contains instructions on how to submit the Contributor License Agreement before sending any pull requests (PRs). Of course, if you're new to the project, it's usually best to discuss any proposals and reach consensus before sending your first PR.