I'm going to bump this, as I want to continue the discussion/provide some
input.
Does it make sense to support more than type of pairwise subject identifier
generator? E.g through a PairwiseSubGeneratorSpi?
Let's say I want to generate the pairwise sub as a salted hash: sub =
SHA-256( sector_identifier || local_sub || salt )
To me, it makes sense to allow for per-client salts. These salts should
probably be generated and persisted during client creation. Thoughts?
On Fri, 12 Aug 2016 at 09:57 Martin Hardselius <martin.hardselius(a)gmail.com>
wrote:
Thank you for your response. Did not see that ticket before. Great
news!
I looked into using protocol mappers to achieve this, and while it would
work I'm worried that once KEYCLOAK-3422 has been resolved and included in
a proper release we would run into migration issues if the method used for
calculating "native" pairwise subs is different from what we implement.
Clients could loose / be forced to re-register all their users if we decide
to switch. The example methods in the spec are just that. Examples. Maybe
the method/alg for computing the pairwise sub should be pluggable?
--
Martin
On Thu, 11 Aug 2016 at 17:15 Marek Posolda <mposolda(a)redhat.com> wrote:
> Sorry for late response.
>
> We have JIRA created for that. You can possibly add yourself as a
> watcher. See
https://issues.jboss.org/browse/KEYCLOAK-3422
>
> Maybe an alternative for you is to use protocolMappers. That should allow
> you to "construct" the token for particular client exactly how you want
and
> also use the different value for "sub" claim.
>
> Another possibility is, to handle this on adapter side. We already have
> an adapter option "principal-attribute", which specifies that application
> will see the different attribute instead of "sub" as subject. For example
> when in appllication you call "httpServletRequest.getRemoteUser()" it will
> return "john" instead of "123456-unique-johns-uuid" . See
>
https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
>
> Hopefully some of the options can be useful for you?
>
> Marek
>
>
> On 02/08/16 14:13, Martin Hardselius wrote:
>
> Me and my team are working towards getting Keycloak, customized for our
> needs, into production but we've identified the need for Pairwise Subject
> Identifiers as we don't want to expose internal user ids.
>
> Right now, the only subject_types_supported seems to be "public". Are
> there any near-future plans to include "pairwise"? Can we pitch in with a
> PR to make this happen as soon as possible?
>
> Links to relevant sections in the spec:
>
>
http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
>
http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
>
> --
> Martin
>
>
> _______________________________________________
> keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>