dmulder
commented
1 year ago This depends on #29 because we can't pass the tgt parameter during the auth using Microsoft's msal.
Open dmulder opened 1 year ago
dmulder
commented
1 year ago This depends on #29 because we can't pass the tgt parameter during the auth using Microsoft's msal.
dmulder
commented
1 year ago It also depends on #35 because only a ConfidentialClient can obtain tgts.
dmulder
commented
1 year ago Perhaps a good way to handle this will be to create a kinit utility which fetches the tgt using MSAL. After which everything else will be handled the same as usual.
dmulder
commented
10 months ago This is partially implemented by MR#46. We now have the TGT in the PRT, we just aren't doing anything with it yet (and the tgt is encrypted still). JWE decryption needs to be implemented in compact-jwt for us to get the TGT.
dmulder
commented
8 months ago The cloud and on-prem TGTs are now decrypted and residing within the PRT. Now to just do something with them!
We can obtain a TGT by authenticating via a ConfidentialClient, then passing the query parameter “tgt=true” during an authentication. Perhaps we can implement a himmelblau kinit command, which will cache the tgt, and a kerberos wrapper library which forwards our kerberos requests via ms-kkdcp.
Description from Steve Syfuhs: "You’re handed a TGT during AAD auth by appending the query parameter “tgt=true”, and then issue a TGS-REQ using that TGT to https://login.microsoftonline.com/\<tenant_id>/kerberos using [MS-KKDCP]."