[keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication

乗松隆志 / NORIMATSU,TAKASHI takashi.norimatsu.ws at hitachi.com
Thu Jul 26 21:22:48 EDT 2018 

Hello Sebastian,

I'm looking forward to your work, and I would be happy if I could make some contribution after finishing your work.

Best regards,
Takashi Norimatsu
Hitachi Ltd.,

----------
From: Sebastian Laskawiec <slaskawi at redhat.com> 
Sent: Thursday, July 26, 2018 5:24 PM
To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws at hitachi.com>
Cc: keycloak-dev at lists.jboss.org
Subject: [!]Re: [keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication

Hey Takashi,

Thanks a lot for the interest in contributing Keycloak!

Sebi and I are working on this topic currently. We plan to reuse some bits of the User x509 Authentication and bring them to the client. We planned the implementation for this sprint, so it *should* be ready in ~3 weeks.

More comments inlined.

Thanks,
Sebastian
On Thu, Jul 26, 2018 at 1:23 AM 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws at hitachi.com> wrote:
Hello,

As for mentioned in https://issues.jboss.org/browse/KEYCLOAK-7512 and https://issues.jboss.org/browse/KEYCLOAK-7635, Is there anyone who currently implements OAuth 2.0 Mutual TLS Client Authentication defined in https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2 ?

We also have additional requirement - allow to authenticate client without "client_id" being sent (we need to extract it from the Certificate obtained during TLS Handshake). This is required for OpenShift integration.
 

If no one does it, I would like to try to implement this feature. What do you think about it ?

Also, In https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2, two types of OAuth 2.0 Mutual TLS Client Authentication are defined, for PKI and for Self-Signed Certificate.

I would be happy if you who are interested in this feature tell me which you like better.

As far as I know, we won't be touching self-registering clients. So maybe once we are done (let's assume that will happen in ~3 weeks), you could take it over and look into that?

BTW, as for now, we will be implementing everything in this branch: https://github.com/sebastienblanc/keycloak/tree/client-x509 (currently, it contains an empty Authenticator but we will be adding bits and pieces to it).
 

Best regards,
Takashi Norimatsu
Hitachi Ltd.,

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list