WebAuth::Token::WebKDCService(3) WebAuth webkdc-service tokens


my $token = WebAuth::Token::WebKDCService->new;
$token->subject ('user');
$token->session_key ($key);
$token->expiration (time + 3600);
print $token->encode ($keyring), "\n";


A WebAuth webkdc-service token, sent by the WebKDC to a WAS and returned by the WAS to the WebKDC as part of the request token. The purpose of this token is to store the session key used for encrypting the request token and its responses. It's encrypted in the WebKDC's long-term key, and is therefore used by the WebKDC to recover the session key without having local state.


new ()
Create a new, empty WebAuth::Token::WebKDCService. At least some attributes will have to be set using the accessor methods described below before the token can be used.


As with WebAuth module functions, failures are signaled by throwing WebAuth::Exception rather than by return status.

General Methods

encode (KEYRING)
Generate the encoded and encrypted form of this token using the provided KEYRING. The encryption key used will be the one returned by the best_key() method of WebAuth::Keyring on that KEYRING.

Accessor Methods

subject ([SUBJECT])
Get or set the subject, which holds the authenticated identity of the bearer of this token. This will normally be "krb5:" followed by the fully-qualified Kerberos principal of the WebAuth Application Server that requested this token.
session_key ([KEY])
Get or set the session key, which will be used for encrypted communication with the entity presenting this token. This contains only the raw key data, not a full WebAuth::Key object.
creation ([TIMESTAMP])
Get or set the creation timestamp for this token in seconds since epoch. If not set, the encoded token will have a creation time set to the time of encoding.
expiration ([TIMESTAMP])
Get or set the expiration timestamp for this token in seconds since epoch.


Russ Allbery <[email protected]>