<div dir="ltr"><div>I'm going to bump this, as I want to continue the discussion/provide some input.</div><div><br></div><div>Does it make sense to support more than type of pairwise subject identifier generator? E.g through a PairwiseSubGeneratorSpi?</div><div><br></div><div>Let's say I want to generate the pairwise sub as a salted hash: sub = SHA-256( sector_identifier || local_sub || salt )</div><div>To me, it makes sense to allow for per-client salts. These salts should probably be generated and persisted during client creation. Thoughts?</div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, 12 Aug 2016 at 09:57 Martin Hardselius <<a href="mailto:martin.hardselius@gmail.com">martin.hardselius@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thank you for your response. Did not see that ticket before. Great news!<div><br></div><div>I looked into using protocol mappers to achieve this, and while it would work I'm worried that once KEYCLOAK-3422 has been resolved and included in a proper release we would run into migration issues if the method used for calculating "native" pairwise subs is different from what we implement. Clients could loose / be forced to re-register all their users if we decide to switch. The example methods in the spec are just that. Examples. Maybe the method/alg for computing the pairwise sub should be pluggable?</div></div><div dir="ltr"><div><br></div><div>-- </div><div>Martin</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 11 Aug 2016 at 17:15 Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Sorry for late response. <br>
<br>
We have JIRA created for that. You can possibly add yourself as a
watcher. See <a href="https://issues.jboss.org/browse/KEYCLOAK-3422" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-3422</a><br>
<br>
Maybe an alternative for you is to use protocolMappers. That
should allow you to "construct" the token for particular client
exactly how you want and also use the different value for "sub"
claim. <br>
<br>
Another possibility is, to handle this on adapter side. We already
have an adapter option "principal-attribute", which specifies that
application will see the different attribute instead of "sub" as
subject. For example when in appllication you call
"httpServletRequest.getRemoteUser()" it will return "john" instead
of "123456-unique-johns-uuid" . See
<a href="https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.1/topics/oidc/java/java-adapter-config.html" target="_blank">https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.1/topics/oidc/java/java-adapter-config.html</a><br>
<br>
Hopefully some of the options can be useful for you?<br>
<br>
Marek</div></div><div bgcolor="#FFFFFF" text="#000000"><div><br>
<br>
On 02/08/16 14:13, Martin Hardselius wrote:<br>
</div></div><div bgcolor="#FFFFFF" text="#000000"><blockquote type="cite">
<div dir="ltr">
<div>Me and my team are working towards getting Keycloak,
customized for our needs, into production but we've identified
the need for Pairwise Subject Identifiers as we don't want to
expose internal user ids.</div>
<div><br>
</div>
<div>Right now, the only subject_types_supported seems to be
"public". Are there any near-future plans to include
"pairwise"? Can we pitch in with a PR to make this happen as
soon as possible?</div>
<div><br>
</div>
<div>Links to relevant sections in the spec:</div>
<div><br>
</div>
<a href="http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes</a><br>
<div><a href="http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg</a><br>
</div>
<div><br>
</div>
<div>-- </div>
<div>Martin</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote></div><div bgcolor="#FFFFFF" text="#000000"><blockquote type="cite"><pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote></div></blockquote></div>