[keycloak-dev] X.509 User Identity Extractor - multiple values

Fri Mar 22 05:19:31 EDT 2019

Thanks for the clarification

TBH It seems to me that probably even (b) won't be very generally 
useful. Unless for example some LDAP servers store the certificate PEM 
in some standard LDAP attribute of the user? But if it's customization 
of LDAP schema specific to your environment to be able to save the 
certificate PEM in the LDAP attribute, then my vote is to not add it.

Marek

On 21/03/2019 17:18, Sven-Torben Janus wrote:
> Hi Marek,
>
> I agree to your thoughts on solution a). That's basically why I wanted to discuss it here, before starting an implementation.
> Regarding, solution b), yes that is what I thought about (with or without the initial/final lines).
>
> Sven-Torben
>
> -----Ursprüngliche Nachricht-----
> Von: Marek Posolda <mposolda at redhat.com>
> Gesendet: Donnerstag, 21. März 2019 10:54
> An: Sven-Torben Janus <sven-torben.janus at conciso.de>; keycloak-dev at lists.jboss.org
> Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple values
>
> Hi,
>
> The solution (a) looks quite specific to the environment and I don't think that it will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like bit more generally useful, but still not 100% sure about adding it to Keycloak... For the solution (b), are you talking about the PEM String representation of the X509 certificate, which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE" and "END CERTIFICATE" )?
>
> Marek
>
> On 21/03/2019 07:48, Sven-Torben Janus wrote:
>> Hey all!
>>
>> I am currently facing a situation with a customer who wants to implement mutual SSL / client cert authentication. As I understand from the UserIdentityExtractor[1] implementations, currently only returning a single value is allowed, because the UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
>>
>> Now my customer uses the serial number from the certificate to identify users. However, this is only unique in combination with the issuer of the certificate, since my customer supports multiple CAs. The combination of both exists in their LDAP as a single attribute where both parts are separated by a special separator character.
>> In addition to that, the whole certificate of the user is also available in another LDAP attribute.
>>
>> I currently see the following options to implement a solution for this:
>> 1) Writing a custom Authenticator to handle that specific situation. This one would look very similar to the ootb X509 authenticator, but implements either a) or b) (see below)
>> 2) Making a contribution to Keycloak and extend the list of available UserIdentitiyExtractors.
>>
>> For both approaches two different implementations come to my mind:
>>
>> a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial number into a single string and use that as an identity.
>> b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the user's identity.
>>
>> We would prefer contributing to Keycloak, if such a contribution is welcome and meaningful.
>>
>> Do you have any advice on which way to go here?
>>
>> [1]https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/x509/UserIdentityExtractor.java
>> [2]https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/x509/UserIdentityToModelMapper.java#L57
>>
>> Regards
>> Sven-Torben
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>