Re: [keycloak-dev] X.509 Authenticator - New User Identity Source

Hi Marek, After having some troubles in resolving merge conflicts, I've finally filed new PR: https://github.com/keycloak/keycloak/pull/6153 Please take a look when you have time. Thanks. Best regards, Nemanja On 7/3/19 10:41 AM, Marek Posolda wrote: > Thanks! > > Marek > > On 03/07/2019 10:34, Nemanja Hiršl wrote: >> On 7/3/19 8:16 AM, Marek Posolda wrote: >>> On 03/07/2019 00:20, Nalyvayko, Peter wrote: >>>> Hi Marek, >>>> >>>> >>>> I believe in the original version the regular expression was the >>>> only mapper provided out of the box  to parse the unique identity >>>> from the subject's DN. Adding the x500 mappers (email, etc.) came >>>> up, if I recall correctly, during the PR discussion, but I could >>>> be wrong. >>> >>> Cool, Thanks for clarifying. >>> >>> I think that when we add "Issuer's DN + serial number" combination, >>> we can remove "Issuer's email" and "Issuer's Common Name" . >>> >> >> Thanks. >> I'll try to prepare PR in a next couple of days to remove "Issuer's >> email", "Issuer's Common Name" and add "Issuer's DN and serial number" >> >> >> Best regards, >> Nemanja >> >>> Marek >>> >>>> >>>>>   None of provided mappings can guarantee uniqueness. >>>> For on-premise deployments having a simple mapping (email from >>>> x509 cert) may be sufficient as long as there is a single trusted CA. >>>> >>>>>   I would vote also for remove "Issuer's email" and "Issuer's >>>>> Common Name"  as I can't imagine that those can be ever used to >>>>> uniquely identify subject and I doubt that someone is using this >>>>> in production for uniquely identify user? >>>> +1 I am not aware of any of our clients using the issuer's mappers. >>>> >>>> Cheers, >>>> >>>> Peter >>>> >>>> -----Original Message----- >>>> From: keycloak-dev-bounces(a)lists.jboss.org >>>> <keycloak-dev-bounces(a)lists.jboss.org&gt; On Behalf Of Marek Posolda >>>> Sent: Tuesday, July 2, 2019 12:38 PM >>>> To: Nemanja Hiršl <nemanja.hirsl(a)netsetglobal.rs>; >>>> keycloak-dev(a)lists.jboss.org >>>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User >>>> Identity Source >>>> >>>> >>>> On 02/07/2019 16:38, Nemanja Hiršl wrote: >>>>> Hi, >>>>> >>>>> Current implementation of X.509 Authenticator uses a number of >>>>> different mappings of a certificate to user identity. >>>>> None of provided mappings can guarantee uniqueness. It is up to >>>>> CA to >>>>> choose which fields to include in SubjectDN and SAN and there >>>>> might be >>>>> some unique data. In these cases we can use provided mappers to >>>>> identify users. However, if there's a need to support certificates >>>>> from different CAs, with unrelated usage of SubjectDN and SAN fields >>>>> those mappers are not sufficient. >>>>> >>>>> One way to uniquely identify user is to use certificate thumbprint. >>>>> For the solution I'm working on, we have implemented >>>>> SHA256-Thumbprint >>>>> mapper and it is giving us expected results. >>>>> >>>>> Do you think sha256 thumbprint mapper would be a useful addition to >>>>> already existing mappers? >>>>> Should I prepare appropriate PR? >>>>> >>>>> The other approach might be combination of serial number and issuer. >>>>> According to RFC 5280 the issuer name and serial number identify a >>>>> unique certificate.This is something I haven't tried, but would like >>>>> to hear your opinion. >>>> +1 for the serial number + Issuer DN. >>>> >>>> I would vote also for remove "Issuer's email" and "Issuer's Common >>>> Name" >>>> as I can't imagine that those can be ever used to uniquely >>>> identify subject and I doubt that someone is using this in >>>> production for uniquely identify user? >>>> >>>> Adding Peter Nalyvayko to CC as I believe he was the original >>>> author who added those. Peter, feel free to correct me if I am >>>> wrong :) >>>> >>>> Thanks, >>>> Marek >>>> >>>>> Thanks. >>>>> >>>>> References: >>>>> 1. There's a nice explanation on stackoveroflow of what can be >>>>> used to >>>>> uniquely identify users: >>>>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client- >>>>> >>>>> certificate-to-use-when-uniquely-identifying-users >>>>> 2. There's also a discussion here: >>>>> https://issues.jboss.org/browse/KEYCLOAK-9610 >>>>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2 >>>>> >>>>> >>>>> Best regards, >>>>> Nemanja >>>>> >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> >> > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev