12:20 a.m.
Hi Marek,
I believe in the original version the regular expression was the only mapper provided out
of the box to parse the unique identity from the subject's DN. Adding the x500
mappers (email, etc.) came up, if I recall correctly, during the PR discussion, but I
could be wrong.
None of provided mappings can guarantee uniqueness.
For on-premise deployments having a simple mapping (email from x509 cert) may be
sufficient as long as there is a single trusted CA.
I would vote also for remove "Issuer's email" and
"Issuer's Common Name" as I can't imagine that those can be ever used
to uniquely identify subject and I doubt that someone is using this in production for
uniquely identify user?
+1 I am not aware of any of our clients using the issuer's mappers.
Cheers,
Peter
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org> On
Behalf Of Marek Posolda
Sent: Tuesday, July 2, 2019 12:38 PM
To: Nemanja Hiršl <nemanja.hirsl(a)netsetglobal.rs>; keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] X.509 Authenticator - New User Identity Source
On 02/07/2019 16:38, Nemanja Hiršl wrote:
Hi,
Current implementation of X.509 Authenticator uses a number of
different mappings of a certificate to user identity.
None of provided mappings can guarantee uniqueness. It is up to CA to
choose which fields to include in SubjectDN and SAN and there might be
some unique data. In these cases we can use provided mappers to
identify users. However, if there's a need to support certificates
from different CAs, with unrelated usage of SubjectDN and SAN fields
those mappers are not sufficient.
One way to uniquely identify user is to use certificate thumbprint.
For the solution I'm working on, we have implemented SHA256-Thumbprint
mapper and it is giving us expected results.
Do you think sha256 thumbprint mapper would be a useful addition to
already existing mappers?
Should I prepare appropriate PR?
The other approach might be combination of serial number and issuer.
According to RFC 5280 the issuer name and serial number identify a
unique certificate.This is something I haven't tried, but would like
to hear your opinion.
+1 for the serial number + Issuer DN.
I would vote also for remove "Issuer's email" and "Issuer's Common
Name"
as I can't imagine that those can be ever used to uniquely identify subject and I
doubt that someone is using this in production for uniquely identify user?
Adding Peter Nalyvayko to CC as I believe he was the original author who added those.
Peter, feel free to correct me if I am wrong :)
Thanks,
Marek
Thanks.
References:
1. There's a nice explanation on stackoveroflow of what can be used to
uniquely identify users:
https://stackoverflow.com/questions/5290571/which-parts-of-the-client-
certificate-to-use-when-uniquely-identifying-users
2. There's also a discussion here:
https://issues.jboss.org/browse/KEYCLOAK-9610
3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
Best regards,
Nemanja
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev