On 02/07/2019 16:38, Nemanja Hiršl wrote:
Hi,
Current implementation of X.509 Authenticator uses a number of
different mappings of a certificate to user identity.
None of provided mappings can guarantee uniqueness. It is up to CA to
choose which fields to include in SubjectDN and SAN and there might be
some unique data. In these cases we can use provided mappers to
identify users. However, if there's a need to support certificates
from different CAs, with unrelated usage of SubjectDN and SAN fields
those mappers are not sufficient.
One way to uniquely identify user is to use certificate thumbprint.
For the solution I'm working on, we have implemented SHA256-Thumbprint
mapper and it is giving us expected results.
Do you think sha256 thumbprint mapper would be a useful addition to
already existing mappers?
Should I prepare appropriate PR?
The other approach might be combination of serial number and issuer.
According to RFC 5280 the issuer name and serial number identify a
unique certificate.This is something I haven't tried, but would like
to hear your opinion.
+1 for the serial number + Issuer DN.
I would vote also for remove "Issuer's email" and "Issuer's Common
Name"
as I can't imagine that those can be ever used to uniquely identify
subject and I doubt that someone is using this in production for
uniquely identify user?
Adding Peter Nalyvayko to CC as I believe he was the original author who
added those. Peter, feel free to correct me if I am wrong :)
Thanks,
Marek
Thanks.
References:
1. There's a nice explanation on stackoveroflow of what can be used to
uniquely identify users:
https://stackoverflow.com/questions/5290571/which-parts-of-the-client-cer...
2. There's also a discussion here:
https://issues.jboss.org/browse/KEYCLOAK-9610
3. RFC 5280:
https://tools.ietf.org/html/rfc5280#section-4.1.2.2
Best regards,
Nemanja
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev