Project

lex-identity-kerberos

0.0
No release in over 3 years
lex-identity-kerberoslegionio/lex-identity-kerberosHomepageDocumentationSource CodeBug TrackerWiki
LegionIO identity provider that resolves the authenticated Kerberos principal from legion-crypt into the unified identity contract
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
156
Stars
0
Forks
0
Watchers
0
 Releases
Current version
0.1.1
Total releases
1
First release
1980-01-02
Latest release
1980-01-02
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2026-04-06
Reverse Dependencies
0

 Dependencies

Runtime

legion-json
>= 1.2.1
legion-settings
>= 1.3.14
 Project Readme

lex-identity-kerberos

LegionIO identity provider extension for Kerberos. Implements the unified identity provider contract by reading the authenticated Kerberos principal from legion-crypt and resolving it into a canonical identity hash.

Overview

This gem does not duplicate GSSAPI or LDAP logic. It reads the principal that was already resolved by legion-crypt's KerberosAuth at boot time. For outbound SPNEGO token acquisition, it delegates to lex-kerberos's Helpers::Spnego#obtain_spnego_token when that gem is loaded.

Provider Contract

Legion::Extensions::Identity::Kerberos::Identity.provider_name   # => :kerberos
Legion::Extensions::Identity::Kerberos::Identity.provider_type   # => :auth
Legion::Extensions::Identity::Kerberos::Identity.facing          # => :human
Legion::Extensions::Identity::Kerberos::Identity.priority        # => 100
Legion::Extensions::Identity::Kerberos::Identity.trust_weight    # => 50
Legion::Extensions::Identity::Kerberos::Identity.capabilities
# => [:authenticate, :profile, :vault_auth, :outbound_auth]

resolve

Returns an identity hash or nil:

{
  canonical_name: 'miverso2',          # ^[a-z0-9][a-z0-9_-]*$ — no dots (AMQP word separator)
  kind:           :human,
  source:         :kerberos,
  principal:      'miverso2@MS.DS.UHC.COM',
  realm:          'MS.DS.UHC.COM',
  groups:         []                   # group lookup is lex-identity-ldap's responsibility
}

Returns nil when no Kerberos principal is available.

normalize(val)

Strips @REALM, downcases, trims whitespace, and removes characters outside [a-z0-9_-]:

Identity.normalize('User.Name@REALM.COM')  # => 'username'
Identity.normalize('miverso2@MS.DS.UHC.COM')  # => 'miverso2'

provide_token

Returns a Legion::Identity::Lease with a SPNEGO token (10-hour validity), or nil on failure:

lease = Identity.provide_token
lease.provider    # => :kerberos
lease.credential  # => '<base64-spnego-token>'
lease.expires_at  # => Time (10h from now)
lease.renewable   # => true
lease.valid?      # => true
lease.metadata    # => { realm: 'MS.DS.UHC.COM' }

Requires lex-kerberos to be loaded and Legion::Settings[:kerberos][:service_principal] to be set.

vault_auth

Stub returning nil. Phase 5 implementation pending.

Dependencies

Required:

  • legion-json (>= 1.2.1)
  • legion-settings (>= 1.3.14)

Optional (guarded with defined?):

  • legion-crypt — for Legion::Crypt.kerberos_principal
  • lex-kerberos — for Legion::Extensions::Kerberos::Helpers::Spnego#obtain_spnego_token

Installation

Add to your Gemfile:

gem 'lex-identity-kerberos'

License

MIT