On 7/3/19 8:16 AM, Marek Posolda wrote:
On 03/07/2019 00:20, Nalyvayko, Peter wrote:
> Hi Marek,
>
>
> I believe in the original version the regular expression was the only
> mapper provided out of the box to parse the unique identity from the
> subject's DN. Adding the x500 mappers (email, etc.) came up, if I
> recall correctly, during the PR discussion, but I could be wrong.
Cool, Thanks for clarifying.
I think that when we add "Issuer's DN + serial number" combination, we
can remove "Issuer's email" and "Issuer's Common Name" .
Thanks.
I'll try to prepare PR in a next couple of days to remove "Issuer's
email", "Issuer's Common Name" and add "Issuer's DN and serial
number"
Best regards,
Nemanja
Marek
>
>> None of provided mappings can guarantee uniqueness.
> For on-premise deployments having a simple mapping (email from x509
> cert) may be sufficient as long as there is a single trusted CA.
>
>> I would vote also for remove "Issuer's email" and
"Issuer's Common
>> Name" as I can't imagine that those can be ever used to uniquely
>> identify subject and I doubt that someone is using this in
>> production for uniquely identify user?
> +1 I am not aware of any of our clients using the issuer's mappers.
>
> Cheers,
>
> Peter
>
> -----Original Message-----
> From: keycloak-dev-bounces(a)lists.jboss.org
> <keycloak-dev-bounces(a)lists.jboss.org> On Behalf Of Marek Posolda
> Sent: Tuesday, July 2, 2019 12:38 PM
> To: Nemanja Hiršl <nemanja.hirsl(a)netsetglobal.rs>;
> keycloak-dev(a)lists.jboss.org
> Subject: Re: [keycloak-dev] X.509 Authenticator - New User Identity
> Source
>
>
> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>> Hi,
>>
>> Current implementation of X.509 Authenticator uses a number of
>> different mappings of a certificate to user identity.
>> None of provided mappings can guarantee uniqueness. It is up to CA to
>> choose which fields to include in SubjectDN and SAN and there might be
>> some unique data. In these cases we can use provided mappers to
>> identify users. However, if there's a need to support certificates
>> from different CAs, with unrelated usage of SubjectDN and SAN fields
>> those mappers are not sufficient.
>>
>> One way to uniquely identify user is to use certificate thumbprint.
>> For the solution I'm working on, we have implemented SHA256-Thumbprint
>> mapper and it is giving us expected results.
>>
>> Do you think sha256 thumbprint mapper would be a useful addition to
>> already existing mappers?
>> Should I prepare appropriate PR?
>>
>> The other approach might be combination of serial number and issuer.
>> According to RFC 5280 the issuer name and serial number identify a
>> unique certificate.This is something I haven't tried, but would like
>> to hear your opinion.
> +1 for the serial number + Issuer DN.
>
> I would vote also for remove "Issuer's email" and "Issuer's
Common Name"
> as I can't imagine that those can be ever used to uniquely identify
> subject and I doubt that someone is using this in production for
> uniquely identify user?
>
> Adding Peter Nalyvayko to CC as I believe he was the original author
> who added those. Peter, feel free to correct me if I am wrong :)
>
> Thanks,
> Marek
>
>> Thanks.
>>
>> References:
>> 1. There's a nice explanation on stackoveroflow of what can be used to
>> uniquely identify users:
>>
https://stackoverflow.com/questions/5290571/which-parts-of-the-client-
>> certificate-to-use-when-uniquely-identifying-users
>> 2. There's also a discussion here:
>>
https://issues.jboss.org/browse/KEYCLOAK-9610
>> 3. RFC 5280:
https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>
>>
>> Best regards,
>> Nemanja
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev