Hello developer,
I opened a new issue for Keycloak:
https://issues.jboss.org/browse/KEYCLOAK-9554
and provided a pull request:
https://github.com/keycloak/keycloak/pull/5878
Best regards,
Sebastian
Von: Pedro Igor Silva <psilva(a)redhat.com>
Gesendet: Dienstag, 12. Februar 2019 13:24
An: Thomas Darimont <thomas.darimont(a)googlemail.com>
Cc: Lösch, Sebastian <Sebastian.Loesch(a)governikus.de>; keycloak-dev
<keycloak-dev(a)lists.jboss.org>
Betreff: Re: [keycloak-dev] Certificate subject DN is provider dependent
Btw, we also support extracting email using a subject alt name extension. Maybe we could
safely use CANONICAL (which seems to be more aligned with the specs) and tell people to
use this extractor if they want to use email address from certificates.
On Tue, Feb 12, 2019 at 10:19 AM Pedro Igor Silva
<psilva@redhat.com<mailto:psilva@redhat.com>> wrote:
IIRC, email address should be included/parsed as a subject alternative name extension.
BouncyCastle seems doing it right.
What is the JDK version being used?
On Tue, Feb 12, 2019 at 9:57 AM Thomas Darimont
<thomas.darimont@googlemail.com<mailto:thomas.darimont@googlemail.com>>
wrote:
Hi Sebastian,
how about Keycloak would introduce an option for this authenticator like:
"Use canonical principal extraction" on/off with default "off",
meaning the default behavior stays the same. "on" would then mean to use
the "canonical" option for extracting the subject as you suggested.
Cheers,
Thomas
Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <
Sebastian.Loesch@governikus.de<mailto:Sebastian.Loesch@governikus.de>>:
Hello Keycloak developers,
I am currently working on configuring keycloak for X.509 certificate login.
We store the whole user certificate's subject DN as user attribute. During
the login we match the authentication certificate's subjectDN against the
value stored in the user attributes.
The subject DN is determined executing:
cert.getSubjectDN().getName()
Here we have a problem regarding the subject DN order. We realized that
the subject DN order is security provider specific:
· Using SUN security provider we get a subject DN like:
"EMAILADDRESS=bjensen@example.com<mailto:bjensen@example.com>, CN=Ms. Barbara
J Jensen III, O=
example.com<http://example.com>, ST=California, C=US"
· Using BouncyCastle security provider we get a subject DN like:
"C=US,ST=California,O=example.com<http://example.com>,CN=Ms. Barbara J Jensen
III,E=
bjensen@example.com<mailto:bjensen@example.com>"
This is obviously a problem.
Does anybody else ran into the same problem?
In my opinion it would be better to use:
cert.getSubjectX500Principal().getName(X500Principal.CANONICAL)
to determine the subject DN, as the result is provider independent.
But this would be an backward incompatible change in Method
org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder.fromConfig()
What is your opinion?
Best regards
Sebastian
--
Solution Engineering
--
Governikus GmbH & Co. KG
Hochschulring 4
28359 Bremen, Germany
Phone: +49 421 204 95 - 28
Fax: +49 421 204 95 - 11
E-Mail:
Sebastian.Loesch@governikus.de<mailto:Sebastian.Loesch@governikus.de><mailto:
Sebastian.Loesch@governikus.de<mailto:Sebastian.Loesch@governikus.de>>
www.governikus.de<http://www.governikus.de><http://www.governiku...
--
Governikus GmbH & Co. KG
Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
22041
Geschäftsführer: Dr. Stephan Klein
Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756
****************************************************
Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
Hochschulring 4, 28359 Bremen
Veranstaltungsvorschau: Besuchen Sie uns...
Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<
https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse...
>
Digitaler Staat | 02. + 03.04.2019 | Berlin<
https://www.digitaler-staat.org/>
7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<
https://www.zukunftskongress.info/de>
Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<https://www.bw-4-0.de/
>
[cid:image8a82cf.JPG@26f9b88d.448c29be]<
http://www.jahrestagung.governikus.de/>
****************************************************
Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift: Hochschulring 4, 28359
Bremen
Veranstaltungsvorschau: Besuchen Sie uns...
Dataport Hausmesse | 02.04.2019 | Hamburg -
Schnelsen<https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx>
Digitaler Staat | 02. + 03.04.2019 |
Berlin<https://www.digitaler-staat.org/>
7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 |
Berlin<https://www.zukunftskongress.info/de>
Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<https://www.bw-4-0.de/>
[cid:image71d7fc.JPG@4dd78026.4b9f719f]<http://www.jahrestagung.governikus.de/>
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev