Light-oauth2 supports Kerberos/SPNEGO with the built-in default authentication/authorization authenticator. This allows the user only sign-on the desktop once and call OAuth2 authorization code flow with Single Sign On on the browser.
For the light-oauth2 server and AD/KDC configuration, please refer to default auth. Once you have light-oauth2 and AD/KDC servers ready, you can perform an integration test on you local Mac Book Pro with SSO to confirm that all configurations are working.
Here is the steps to do the integration test.
Assume that AD/KDC are ready
You can set up a single testing server on the domain controller in Microsoft Windows Server. Please refer to default auth for more details.
Please note that the configuration files in the above folder contain files designed for example.com site, you need to make corresponding updates for your deployment.
Start OAuth 2.0 services
Let’s assume that we have another folder of light-oauth2 config files with the proper config to point to the AD/KDC server within the organizion.
docker-compose -f docker-compose-oauth2-mysql.yml
Please verify the light-oauth2 serives are running.
Set up SSO on Mac
The above light-oauth2 services are connecting to dna AD/KDC. In order to the browser application to login to light-oauth2 authorization code service to get authorization code redirect, we need to login to DNA from Keychain Access.
Launch Keychain Access
From the Keychain Access menu, select ticket viewer.
Click add new identity and put your dna credential.
Once log in successfully, a ticket will be issued with expiration time of 24h.
The next day, you can just click refersh button under the userId to renew a new ticket.
For Kerberos/SPNEGO to work, the light-oauth2 server must use a DNS name match the SPN definition. Since we are using Mac Book Pro for our oauth2 server, we are goint to update /etc/hosts file to do a mapping.
127.0.0.1 localhost dev.oauth.example.com
For official test environment or production, we should use DNS instead.
Test from a Browser.
All major browsers are supporting Kerberos/SPNEGO these days. We are going to use Safari which has built in support for SPNEGO on Mac Book Pro.