Re: [keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication

Hello Sebastian, I'm looking forward to your work, and I would be happy if I could make some contribution after finishing your work. Best regards, Takashi Norimatsu Hitachi Ltd., ---------- From: Sebastian Laskawiec <slaskawi(a)redhat.com&gt; Sent: Thursday, July 26, 2018 5:24 PM To: 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws(a)hitachi.com&gt; Cc: keycloak-dev(a)lists.jboss.org Subject: [!]Re: [keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication Hey Takashi, Thanks a lot for the interest in contributing Keycloak! Sebi and I are working on this topic currently. We plan to reuse some bits of the User x509 Authentication and bring them to the client. We planned the implementation for this sprint, so it *should* be ready in ~3 weeks. More comments inlined. Thanks, Sebastian On Thu, Jul 26, 2018 at 1:23 AM 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws(a)hitachi.com&gt; wrote: Hello, As for mentioned in https://issues.jboss.org/browse/KEYCLOAK-7512 and https://issues.jboss.org/browse/KEYCLOAK-7635, Is there anyone who currently implements OAuth 2.0 Mutual TLS Client Authentication defined in https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2 ? We also have additional requirement - allow to authenticate client without "client_id" being sent (we need to extract it from the Certificate obtained during TLS Handshake). This is required for OpenShift integration. If no one does it, I would like to try to implement this feature. What do you think about it ? Also, In https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2, two types of OAuth 2.0 Mutual TLS Client Authentication are defined, for PKI and for Self-Signed Certificate. I would be happy if you who are interested in this feature tell me which you like better. As far as I know, we won't be touching self-registering clients. So maybe once we are done (let's assume that will happen in ~3 weeks), you could take it over and look into that? BTW, as for now, we will be implementing everything in this branch: https://github.com/sebastienblanc/keycloak/tree/client-x509 (currently, it contains an empty Authenticator but we will be adding bits and pieces to it). Best regards, Takashi Norimatsu Hitachi Ltd., _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev