Hi,
I've just did a review of your PR and added few minor comments. Sorry
for the delay. Thanks for your contribution.
Marek
On 21. 07. 19 12:45, Nemanja Hiršl wrote:
Hi,
did you get a chance to look into this PR?
If there's something wrong with code/logic, I'll be happy to rework
it.... Just let me know.
Best regards,
Nemanja
On 7/8/19 2:44 PM, Nemanja Hiršl wrote:
> Hi Marek,
>
> After having some troubles in resolving merge conflicts, I've finally
> filed new PR:
https://github.com/keycloak/keycloak/pull/6153
> Please take a look when you have time.
> Thanks.
>
> Best regards,
> Nemanja
>
> On 7/3/19 10:41 AM, Marek Posolda wrote:
>> Thanks!
>>
>> Marek
>>
>> On 03/07/2019 10:34, Nemanja Hiršl wrote:
>>> On 7/3/19 8:16 AM, Marek Posolda wrote:
>>>> On 03/07/2019 00:20, Nalyvayko, Peter wrote:
>>>>> Hi Marek,
>>>>>
>>>>>
>>>>> I believe in the original version the regular expression was the
>>>>> only mapper provided out of the box to parse the unique identity
>>>>> from the subject's DN. Adding the x500 mappers (email, etc.) came
>>>>> up, if I recall correctly, during the PR discussion, but I could
>>>>> be wrong.
>>>>
>>>> Cool, Thanks for clarifying.
>>>>
>>>> I think that when we add "Issuer's DN + serial number"
>>>> combination, we can remove "Issuer's email" and
"Issuer's Common
>>>> Name" .
>>>>
>>>
>>> Thanks.
>>> I'll try to prepare PR in a next couple of days to remove
"Issuer's
>>> email", "Issuer's Common Name" and add "Issuer's
DN and serial number"
>>>
>>>
>>> Best regards,
>>> Nemanja
>>>
>>>> Marek
>>>>
>>>>>
>>>>>> None of provided mappings can guarantee uniqueness.
>>>>> For on-premise deployments having a simple mapping (email from
>>>>> x509 cert) may be sufficient as long as there is a single trusted
>>>>> CA.
>>>>>
>>>>>> I would vote also for remove "Issuer's email" and
"Issuer's
>>>>>> Common Name" as I can't imagine that those can be ever
used to
>>>>>> uniquely identify subject and I doubt that someone is using this
>>>>>> in production for uniquely identify user?
>>>>> +1 I am not aware of any of our clients using the issuer's
mappers.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Peter
>>>>>
>>>>> -----Original Message-----
>>>>> From: keycloak-dev-bounces(a)lists.jboss.org
>>>>> <keycloak-dev-bounces(a)lists.jboss.org> On Behalf Of Marek
Posolda
>>>>> Sent: Tuesday, July 2, 2019 12:38 PM
>>>>> To: Nemanja Hiršl <nemanja.hirsl(a)netsetglobal.rs>;
>>>>> keycloak-dev(a)lists.jboss.org
>>>>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User
>>>>> Identity Source
>>>>>
>>>>>
>>>>> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Current implementation of X.509 Authenticator uses a number of
>>>>>> different mappings of a certificate to user identity.
>>>>>> None of provided mappings can guarantee uniqueness. It is up to
>>>>>> CA to
>>>>>> choose which fields to include in SubjectDN and SAN and there
>>>>>> might be
>>>>>> some unique data. In these cases we can use provided mappers to
>>>>>> identify users. However, if there's a need to support
certificates
>>>>>> from different CAs, with unrelated usage of SubjectDN and SAN
>>>>>> fields
>>>>>> those mappers are not sufficient.
>>>>>>
>>>>>> One way to uniquely identify user is to use certificate
thumbprint.
>>>>>> For the solution I'm working on, we have implemented
>>>>>> SHA256-Thumbprint
>>>>>> mapper and it is giving us expected results.
>>>>>>
>>>>>> Do you think sha256 thumbprint mapper would be a useful addition
to
>>>>>> already existing mappers?
>>>>>> Should I prepare appropriate PR?
>>>>>>
>>>>>> The other approach might be combination of serial number and
>>>>>> issuer.
>>>>>> According to RFC 5280 the issuer name and serial number identify
a
>>>>>> unique certificate.This is something I haven't tried, but
would
>>>>>> like
>>>>>> to hear your opinion.
>>>>> +1 for the serial number + Issuer DN.
>>>>>
>>>>> I would vote also for remove "Issuer's email" and
"Issuer's
>>>>> Common Name"
>>>>> as I can't imagine that those can be ever used to uniquely
>>>>> identify subject and I doubt that someone is using this in
>>>>> production for uniquely identify user?
>>>>>
>>>>> Adding Peter Nalyvayko to CC as I believe he was the original
>>>>> author who added those. Peter, feel free to correct me if I am
>>>>> wrong :)
>>>>>
>>>>> Thanks,
>>>>> Marek
>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> References:
>>>>>> 1. There's a nice explanation on stackoveroflow of what can
be
>>>>>> used to
>>>>>> uniquely identify users:
>>>>>>
https://stackoverflow.com/questions/5290571/which-parts-of-the-client-
>>>>>>
>>>>>> certificate-to-use-when-uniquely-identifying-users
>>>>>> 2. There's also a discussion here:
>>>>>>
https://issues.jboss.org/browse/KEYCLOAK-9610
>>>>>> 3. RFC 5280:
https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>> Nemanja
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev