[keycloak-dev] Truststore SPI
Stian Thorgersen
sthorger at redhat.com
Tue Aug 14 14:24:33 EDT 2018
Was thinking some more about how to share certificate functionality between
user authentication and client authentication. Potentially also to SAML.
We could add a Truststore SPI. The TruststoreProvider interface would have
something like the following methods (quick mock stuff):
* boolean verifyCert(CertificateMatcher matcher)
* Set<String> listExpiring()
* void trustCert(Cert cert)
* void removeTrustedCert(String id)
* Cert getSavedCert(String id)
* void removeSavedCert(String id)
* void saveCert(Cert cert)
We'd have a default built-in TruststoreProvider. Potentially delegating
some stuff to Elytron, but it would have to store certs in the db. It would
deal with checking if cert is still valid, call cert validation like the
user cert does, etc..
For user and client authentication we'd use verifyCert primarily. We'd have
something like UserCertMatcher.create()... and
ClientCertMatcher.create()... In the admin console we could add an option
to add trusted certs (not sure how that'd work in a cluster). For SAML
clients we'd delegate storing certs to the Truststore SPI instead of
storing the cert data alongside the client. The truststore would also add
some metadata in the db about certs so we can easily query for expiring
certs.
More information about the keycloak-dev
mailing list