1:48 a.m.
Hey all!
I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
Now my customer uses the serial number from the certificate to identify users. However,
this is only unique in combination with the issuer of the certificate, since my customer
supports multiple CAs. The combination of both exists in their LDAP as a single attribute
where both parts are separated by a special separator character.
In addition to that, the whole certificate of the user is also available in another LDAP
attribute.
I currently see the following options to implement a solution for this:
1) Writing a custom Authenticator to handle that specific situation. This one would look
very similar to the ootb X509 authenticator, but implements either a) or b) (see below)
2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
For both approaches two different implementations come to my mind:
a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial
number into a single string and use that as an identity.
b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the
user's identity.
We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
Do you have any advice on which way to go here?
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
Regards
Sven-Torben
4:53 a.m.
Hi,
The solution (a) looks quite specific to the environment and I don't
think that it will be useful to have this as a generic feature in
Keycloak.. Solution (b) looks like bit more generally useful, but still
not 100% sure about adding it to Keycloak... For the solution (b), are
you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN
CERTIFICATE" and "END CERTIFICATE" )?
Marek
On 21/03/2019 07:48, Sven-Torben Janus wrote:
Hey all!
I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
Now my customer uses the serial number from the certificate to identify users. However,
this is only unique in combination with the issuer of the certificate, since my customer
supports multiple CAs. The combination of both exists in their LDAP as a single attribute
where both parts are separated by a special separator character.
In addition to that, the whole certificate of the user is also available in another LDAP
attribute.
I currently see the following options to implement a solution for this:
1) Writing a custom Authenticator to handle that specific situation. This one would look
very similar to the ootb X509 authenticator, but implements either a) or b) (see below)
2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
For both approaches two different implementations come to my mind:
a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial
number into a single string and use that as an identity.
b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the
user's identity.
We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
Do you have any advice on which way to go here?
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
Regards
Sven-Torben
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:42 a.m.
Hi Sven-Torben,
You may also take a look at x509 lookup SPI responsible for returning a client
certificate's certificate chain. One strategy/workaround for what you are trying to do
is to actually substitute the client cert with another cert with a subjectDN that you can
format any way you need based on your requirements. Essentially, the approach will allow
to normalize any incoming certificate's subjectDN and still rely on the existing X509
Client Cert User Authentication that comes out of the box
Cheers,
Peter
________________________________________
From: keycloak-dev-bounces(a)lists.jboss.org [keycloak-dev-bounces(a)lists.jboss.org] on
behalf of Marek Posolda [mposolda(a)redhat.com]
Sent: Thursday, March 21, 2019 5:53 AM
To: Sven-Torben Janus; keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi,
The solution (a) looks quite specific to the environment and I don't
think that it will be useful to have this as a generic feature in
Keycloak.. Solution (b) looks like bit more generally useful, but still
not 100% sure about adding it to Keycloak... For the solution (b), are
you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN
CERTIFICATE" and "END CERTIFICATE" )?
Marek
On 21/03/2019 07:48, Sven-Torben Janus wrote:
Hey all!
I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
Now my customer uses the serial number from the certificate to identify users. However,
this is only unique in combination with the issuer of the certificate, since my customer
supports multiple CAs. The combination of both exists in their LDAP as a single attribute
where both parts are separated by a special separator character.
In addition to that, the whole certificate of the user is also available in another LDAP
attribute.
I currently see the following options to implement a solution for this:
1) Writing a custom Authenticator to handle that specific situation. This one would look
very similar to the ootb X509 authenticator, but implements either a) or b) (see below)
2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
For both approaches two different implementations come to my mind:
a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial
number into a single string and use that as an identity.
b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the
user's identity.
We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
Do you have any advice on which way to go here?
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
Regards
Sven-Torben
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:25 a.m.
Hey Peter,
I am not sure, if I understand all the implication, especially when it comes to
certificate validation. When I manipulate or replace the client cert, how can the existing
X509 Client Cert User Authentication ensure the validity of the new/manipulated
certificate then?
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Nalyvayko, Peter <pnalyvayko(a)agi.com>
Gesendet: Donnerstag, 21. März 2019 15:43
An: Marek Posolda <mposolda(a)redhat.com>; Sven-Torben Janus
<sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: RE: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi Sven-Torben,
You may also take a look at x509 lookup SPI responsible for returning a client
certificate's certificate chain. One strategy/workaround for what you are trying to do
is to actually substitute the client cert with another cert with a subjectDN that you can
format any way you need based on your requirements. Essentially, the approach will allow
to normalize any incoming certificate's subjectDN and still rely on the existing X509
Client Cert User Authentication that comes out of the box
Cheers,
Peter
________________________________________
From: keycloak-dev-bounces(a)lists.jboss.org [keycloak-dev-bounces(a)lists.jboss.org] on
behalf of Marek Posolda [mposolda(a)redhat.com]
Sent: Thursday, March 21, 2019 5:53 AM
To: Sven-Torben Janus; keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi,
The solution (a) looks quite specific to the environment and I don't think that it
will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like bit
more generally useful, but still not 100% sure about adding it to Keycloak... For the
solution (b), are you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
Marek
On 21/03/2019 07:48, Sven-Torben Janus wrote:
Hey all!
I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
Now my customer uses the serial number from the certificate to identify users. However,
this is only unique in combination with the issuer of the certificate, since my customer
supports multiple CAs. The combination of both exists in their LDAP as a single attribute
where both parts are separated by a special separator character.
In addition to that, the whole certificate of the user is also available in another LDAP
attribute.
I currently see the following options to implement a solution for this:
1) Writing a custom Authenticator to handle that specific situation.
This one would look very similar to the ootb X509 authenticator, but
implements either a) or b) (see below)
2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
For both approaches two different implementations come to my mind:
a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial
number into a single string and use that as an identity.
b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the
user's identity.
We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
Do you have any advice on which way to go here?
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/
java/org/keycloak/authentication/authenticators/x509/UserIdentityExtra
ctor.java
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/
java/org/keycloak/authentication/authenticators/x509/UserIdentityToMod
elMapper.java#L57
Regards
Sven-Torben
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:48 p.m.
Hey Sven-Torben,
I understand your concern. The cert path validation happens during SSL handshake, so that
should not be an issue. As for other information, for example Key Usage and Extended Key
Usage - those fields can either be replicated into an "substitue" certificate or
their validation can be turned off, again, depending on a particular use case. Obviously,
if your requirements include CRL validation or OCSP cert validation, then the suggested
approach may not work for you.
The client cert authentication is mostly concerned with mapping an existing user using the
information from client certificate, cert validation is somewhat secondary (for example,
the authenticator leaves the PKIX path validation to the container), and this strategy can
be an alternative, rather than adding something to ootb that is specific to a particular
vendor.
My $0.02
________________________________________
From: Sven-Torben Janus [sven-torben.janus(a)conciso.de]
Sent: Thursday, March 21, 2019 12:25 PM
To: Nalyvayko, Peter; Marek Posolda; keycloak-dev(a)lists.jboss.org
Subject: AW: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hey Peter,
I am not sure, if I understand all the implication, especially when it comes to
certificate validation. When I manipulate or replace the client cert, how can the existing
X509 Client Cert User Authentication ensure the validity of the new/manipulated
certificate then?
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Nalyvayko, Peter <pnalyvayko(a)agi.com>
Gesendet: Donnerstag, 21. März 2019 15:43
An: Marek Posolda <mposolda(a)redhat.com>; Sven-Torben Janus
<sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: RE: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi Sven-Torben,
You may also take a look at x509 lookup SPI responsible for returning a client
certificate's certificate chain. One strategy/workaround for what you are trying to do
is to actually substitute the client cert with another cert with a subjectDN that you can
format any way you need based on your requirements. Essentially, the approach will allow
to normalize any incoming certificate's subjectDN and still rely on the existing X509
Client Cert User Authentication that comes out of the box
Cheers,
Peter
________________________________________
From: keycloak-dev-bounces(a)lists.jboss.org [keycloak-dev-bounces(a)lists.jboss.org] on
behalf of Marek Posolda [mposolda(a)redhat.com]
Sent: Thursday, March 21, 2019 5:53 AM
To: Sven-Torben Janus; keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi,
The solution (a) looks quite specific to the environment and I don't think that it
will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like bit
more generally useful, but still not 100% sure about adding it to Keycloak... For the
solution (b), are you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
Marek
On 21/03/2019 07:48, Sven-Torben Janus wrote:
Hey all!
I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
Now my customer uses the serial number from the certificate to identify users. However,
this is only unique in combination with the issuer of the certificate, since my customer
supports multiple CAs. The combination of both exists in their LDAP as a single attribute
where both parts are separated by a special separator character.
In addition to that, the whole certificate of the user is also available in another LDAP
attribute.
I currently see the following options to implement a solution for this:
1) Writing a custom Authenticator to handle that specific situation.
This one would look very similar to the ootb X509 authenticator, but
implements either a) or b) (see below)
2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
For both approaches two different implementations come to my mind:
a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial
number into a single string and use that as an identity.
b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the
user's identity.
We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
Do you have any advice on which way to go here?
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/
java/org/keycloak/authentication/authenticators/x509/UserIdentityExtra
ctor.java
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/
java/org/keycloak/authentication/authenticators/x509/UserIdentityToMod
elMapper.java#L57
Regards
Sven-Torben
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:18 a.m.
Hi Marek,
I agree to your thoughts on solution a). That's basically why I wanted to discuss it
here, before starting an implementation.
Regarding, solution b), yes that is what I thought about (with or without the
initial/final lines).
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Donnerstag, 21. März 2019 10:54
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi,
The solution (a) looks quite specific to the environment and I don't think that it
will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like bit
more generally useful, but still not 100% sure about adding it to Keycloak... For the
solution (b), are you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
Marek
On 21/03/2019 07:48, Sven-Torben Janus wrote:
Hey all!
I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
Now my customer uses the serial number from the certificate to identify users. However,
this is only unique in combination with the issuer of the certificate, since my customer
supports multiple CAs. The combination of both exists in their LDAP as a single attribute
where both parts are separated by a special separator character.
In addition to that, the whole certificate of the user is also available in another LDAP
attribute.
I currently see the following options to implement a solution for this:
1) Writing a custom Authenticator to handle that specific situation. This one would look
very similar to the ootb X509 authenticator, but implements either a) or b) (see below)
2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
For both approaches two different implementations come to my mind:
a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial
number into a single string and use that as an identity.
b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the
user's identity.
We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
Do you have any advice on which way to go here?
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
Regards
Sven-Torben
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:19 a.m.
Thanks for the clarification
TBH It seems to me that probably even (b) won't be very generally
useful. Unless for example some LDAP servers store the certificate PEM
in some standard LDAP attribute of the user? But if it's customization
of LDAP schema specific to your environment to be able to save the
certificate PEM in the LDAP attribute, then my vote is to not add it.
Marek
On 21/03/2019 17:18, Sven-Torben Janus wrote:
Hi Marek,
I agree to your thoughts on solution a). That's basically why I wanted to discuss it
here, before starting an implementation.
Regarding, solution b), yes that is what I thought about (with or without the
initial/final lines).
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Donnerstag, 21. März 2019 10:54
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi,
The solution (a) looks quite specific to the environment and I don't think that it
will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like bit
more generally useful, but still not 100% sure about adding it to Keycloak... For the
solution (b), are you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
Marek
On 21/03/2019 07:48, Sven-Torben Janus wrote:
> Hey all!
>
> I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
>
> Now my customer uses the serial number from the certificate to identify users.
However, this is only unique in combination with the issuer of the certificate, since my
customer supports multiple CAs. The combination of both exists in their LDAP as a single
attribute where both parts are separated by a special separator character.
> In addition to that, the whole certificate of the user is also available in another
LDAP attribute.
>
> I currently see the following options to implement a solution for this:
> 1) Writing a custom Authenticator to handle that specific situation. This one would
look very similar to the ootb X509 authenticator, but implements either a) or b) (see
below)
> 2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
>
> For both approaches two different implementations come to my mind:
>
> a) Adding an additional UserIdentitiyExtractor which combines the issuer and the
serial number into a single string and use that as an identity.
> b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as
the user's identity.
>
> We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
>
> Do you have any advice on which way to go here?
>
>
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
>
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
>
> Regards
> Sven-Torben
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:43 a.m.
Hey Marek,
as far as I know, RFC 2587 specifies the usercertificate attribute for exactly that
purpose. Active Directory also knows something similar (see
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e9...).
IMHO matching the certificate against a custom LDAP attribute should also be ok. At least
that is what the custom attribute mapper for the existing "user mapping method"
is doing anyways for all the other user identity sources (like subjectDN, common name
etc.), right?
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Freitag, 22. März 2019 10:20
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: Re: AW: [keycloak-dev] X.509 User Identity Extractor - multiple values
Thanks for the clarification
TBH It seems to me that probably even (b) won't be very generally useful. Unless for
example some LDAP servers store the certificate PEM in some standard LDAP attribute of the
user? But if it's customization of LDAP schema specific to your environment to be able
to save the certificate PEM in the LDAP attribute, then my vote is to not add it.
Marek
On 21/03/2019 17:18, Sven-Torben Janus wrote:
Hi Marek,
I agree to your thoughts on solution a). That's basically why I wanted to discuss it
here, before starting an implementation.
Regarding, solution b), yes that is what I thought about (with or without the
initial/final lines).
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Donnerstag, 21. März 2019 10:54
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple
values
Hi,
The solution (a) looks quite specific to the environment and I don't think that it
will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like bit
more generally useful, but still not 100% sure about adding it to Keycloak... For the
solution (b), are you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
Marek
On 21/03/2019 07:48, Sven-Torben Janus wrote:
> Hey all!
>
> I am currently facing a situation with a customer who wants to implement mutual SSL /
client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
>
> Now my customer uses the serial number from the certificate to identify users.
However, this is only unique in combination with the issuer of the certificate, since my
customer supports multiple CAs. The combination of both exists in their LDAP as a single
attribute where both parts are separated by a special separator character.
> In addition to that, the whole certificate of the user is also available in another
LDAP attribute.
>
> I currently see the following options to implement a solution for this:
> 1) Writing a custom Authenticator to handle that specific situation.
> This one would look very similar to the ootb X509 authenticator, but
> implements either a) or b) (see below)
> 2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
>
> For both approaches two different implementations come to my mind:
>
> a) Adding an additional UserIdentitiyExtractor which combines the issuer and the
serial number into a single string and use that as an identity.
> b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as
the user's identity.
>
> We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
>
> Do you have any advice on which way to go here?
>
> [1]https://github.com/keycloak/keycloak/blob/master/services/src/main
> /java/org/keycloak/authentication/authenticators/x509/UserIdentityExt
> ractor.java
> [2]https://github.com/keycloak/keycloak/blob/master/services/src/main
> /java/org/keycloak/authentication/authenticators/x509/UserIdentityToM
> odelMapper.java#L57
>
> Regards
> Sven-Torben
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:24 a.m.
On 22/03/2019 11:43, Sven-Torben Janus wrote:
Hey Marek,
as far as I know, RFC 2587 specifies the usercertificate attribute for exactly that
purpose. Active Directory also knows something similar (see
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e9...).
Thanks for pointing this. It seems it may be useful to have OOTB
UserIdentityExtractor, which will work with the MSAD "userCertificate"
attribute. So if you have a chance to contribute this, I think it will
be fine.
IMHO matching the certificate against a custom LDAP attribute should
also be ok. At least that is what the custom attribute mapper for the existing "user
mapping method" is doing anyways for all the other user identity sources (like
subjectDN, common name etc.), right?
Maybe it is thin line, but in general, I see that having OOTB
extractors, which are able to pair users based on subjectDN or
commonName looks natural and will probably work for most of the people.
Having something very specific like "issuer;serialNumber" is IMO not
generally useful, so I would rather avoid to have the
UserIdentityExtractor in Keycloak OOTB.
Marek
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Freitag, 22. März 2019 10:20
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: Re: AW: [keycloak-dev] X.509 User Identity Extractor - multiple values
Thanks for the clarification
TBH It seems to me that probably even (b) won't be very generally useful. Unless for
example some LDAP servers store the certificate PEM in some standard LDAP attribute of the
user? But if it's customization of LDAP schema specific to your environment to be able
to save the certificate PEM in the LDAP attribute, then my vote is to not add it.
Marek
On 21/03/2019 17:18, Sven-Torben Janus wrote:
> Hi Marek,
>
> I agree to your thoughts on solution a). That's basically why I wanted to discuss
it here, before starting an implementation.
> Regarding, solution b), yes that is what I thought about (with or without the
initial/final lines).
>
> Sven-Torben
>
> -----Ursprüngliche Nachricht-----
> Von: Marek Posolda <mposolda(a)redhat.com>
> Gesendet: Donnerstag, 21. März 2019 10:54
> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
> keycloak-dev(a)lists.jboss.org
> Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple
> values
>
> Hi,
>
> The solution (a) looks quite specific to the environment and I don't think that
it will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like
bit more generally useful, but still not 100% sure about adding it to Keycloak... For the
solution (b), are you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
>
> Marek
>
> On 21/03/2019 07:48, Sven-Torben Janus wrote:
>> Hey all!
>>
>> I am currently facing a situation with a customer who wants to implement mutual
SSL / client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
>>
>> Now my customer uses the serial number from the certificate to identify users.
However, this is only unique in combination with the issuer of the certificate, since my
customer supports multiple CAs. The combination of both exists in their LDAP as a single
attribute where both parts are separated by a special separator character.
>> In addition to that, the whole certificate of the user is also available in
another LDAP attribute.
>>
>> I currently see the following options to implement a solution for this:
>> 1) Writing a custom Authenticator to handle that specific situation.
>> This one would look very similar to the ootb X509 authenticator, but
>> implements either a) or b) (see below)
>> 2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
>>
>> For both approaches two different implementations come to my mind:
>>
>> a) Adding an additional UserIdentitiyExtractor which combines the issuer and the
serial number into a single string and use that as an identity.
>> b) Adding an additional UserIdentitiyExtractor which returns the whole
certificate as the user's identity.
>>
>> We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
>>
>> Do you have any advice on which way to go here?
>>
>> [1]https://github.com/keycloak/keycloak/blob/master/services/src/main
>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityExt
>> ractor.java
>> [2]https://github.com/keycloak/keycloak/blob/master/services/src/main
>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityToM
>> odelMapper.java#L57
>>
>> Regards
>> Sven-Torben
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:16 p.m.
Hey Marek,
I need to follow up on this.
I have made a first draft of the implementation. However, it seems that certificates are
much longer than currently supported by the value field in the user_attribute table.
Increasing filed length has been discussed in
https://issues.jboss.org/browse/KEYCLOAK-2382, but I could not really figure out what the
current status is? It does not seem to be implemented. Do you see a chance for increasing
the field length?
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Montag, 25. März 2019 12:25
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: Re: AW: AW: [keycloak-dev] X.509 User Identity Extractor - multiple values
On 22/03/2019 11:43, Sven-Torben Janus wrote:
Hey Marek,
as far as I know, RFC 2587 specifies the usercertificate attribute for exactly that
purpose. Active Directory also knows something similar (see
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e9...).
Thanks for pointing this. It seems it may be useful to have OOTB
UserIdentityExtractor, which will work with the MSAD "userCertificate"
attribute. So if you have a chance to contribute this, I think it will be fine.
IMHO matching the certificate against a custom LDAP attribute should
also be ok. At least that is what the custom attribute mapper for the existing "user
mapping method" is doing anyways for all the other user identity sources (like
subjectDN, common name etc.), right?
Maybe it is thin line, but in general, I see that having OOTB extractors, which are able
to pair users based on subjectDN or commonName looks natural and will probably work for
most of the people.
Having something very specific like "issuer;serialNumber" is IMO not generally
useful, so I would rather avoid to have the UserIdentityExtractor in Keycloak OOTB.
Marek
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Freitag, 22. März 2019 10:20
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
keycloak-dev(a)lists.jboss.org
Betreff: Re: AW: [keycloak-dev] X.509 User Identity Extractor -
multiple values
Thanks for the clarification
TBH It seems to me that probably even (b) won't be very generally useful. Unless for
example some LDAP servers store the certificate PEM in some standard LDAP attribute of the
user? But if it's customization of LDAP schema specific to your environment to be able
to save the certificate PEM in the LDAP attribute, then my vote is to not add it.
Marek
On 21/03/2019 17:18, Sven-Torben Janus wrote:
> Hi Marek,
>
> I agree to your thoughts on solution a). That's basically why I wanted to discuss
it here, before starting an implementation.
> Regarding, solution b), yes that is what I thought about (with or without the
initial/final lines).
>
> Sven-Torben
>
> -----Ursprüngliche Nachricht-----
> Von: Marek Posolda <mposolda(a)redhat.com>
> Gesendet: Donnerstag, 21. März 2019 10:54
> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
> keycloak-dev(a)lists.jboss.org
> Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple
> values
>
> Hi,
>
> The solution (a) looks quite specific to the environment and I don't think that
it will be useful to have this as a generic feature in Keycloak.. Solution (b) looks like
bit more generally useful, but still not 100% sure about adding it to Keycloak... For the
solution (b), are you talking about the PEM String representation of the X509 certificate,
which just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
>
> Marek
>
> On 21/03/2019 07:48, Sven-Torben Janus wrote:
>> Hey all!
>>
>> I am currently facing a situation with a customer who wants to implement mutual
SSL / client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
>>
>> Now my customer uses the serial number from the certificate to identify users.
However, this is only unique in combination with the issuer of the certificate, since my
customer supports multiple CAs. The combination of both exists in their LDAP as a single
attribute where both parts are separated by a special separator character.
>> In addition to that, the whole certificate of the user is also available in
another LDAP attribute.
>>
>> I currently see the following options to implement a solution for this:
>> 1) Writing a custom Authenticator to handle that specific situation.
>> This one would look very similar to the ootb X509 authenticator, but
>> implements either a) or b) (see below)
>> 2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
>>
>> For both approaches two different implementations come to my mind:
>>
>> a) Adding an additional UserIdentitiyExtractor which combines the issuer and the
serial number into a single string and use that as an identity.
>> b) Adding an additional UserIdentitiyExtractor which returns the whole
certificate as the user's identity.
>>
>> We would prefer contributing to Keycloak, if such a contribution is welcome and
meaningful.
>>
>> Do you have any advice on which way to go here?
>>
>> [1]https://github.com/keycloak/keycloak/blob/master/services/src/mai
>> n
>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityEx
>> t
>> ractor.java
>> [2]https://github.com/keycloak/keycloak/blob/master/services/src/mai
>> n
>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityTo
>> M
>> odelMapper.java#L57
>>
>> Regards
>> Sven-Torben
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:42 p.m.
Hi Sven-Torben,
I think that if you mark attribute as "read-only" and maybe also as
"binary attribute" with the LDAP attribute mapper, then it won't be
saved to the Keycloak DB at all. Then you don't need to care about the
length of the field in user_attribute table. Something similar is used
to save the picture in the LDAP example, which is part of
keycloak-examples distribution (the deprecated one).
This will work just with the LDAP, not with Keycloak DB-only setup. But
isn't it what you wanted to use anyway?
Marek
On 15/04/2019 20:16, Sven-Torben Janus wrote:
Hey Marek,
I need to follow up on this.
I have made a first draft of the implementation. However, it seems that certificates are
much longer than currently supported by the value field in the user_attribute table.
Increasing filed length has been discussed in
https://issues.jboss.org/browse/KEYCLOAK-2382, but I could not really figure out what the
current status is? It does not seem to be implemented. Do you see a chance for increasing
the field length?
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Montag, 25. März 2019 12:25
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: Re: AW: AW: [keycloak-dev] X.509 User Identity Extractor - multiple values
On 22/03/2019 11:43, Sven-Torben Janus wrote:
> Hey Marek,
>
> as far as I know, RFC 2587 specifies the usercertificate attribute for exactly that
purpose. Active Directory also knows something similar (see
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e9...).
Thanks for pointing this. It seems it may be useful to have OOTB UserIdentityExtractor,
which will work with the MSAD "userCertificate"
attribute. So if you have a chance to contribute this, I think it will be fine.
> IMHO matching the certificate against a custom LDAP attribute should also be ok. At
least that is what the custom attribute mapper for the existing "user mapping
method" is doing anyways for all the other user identity sources (like subjectDN,
common name etc.), right?
Maybe it is thin line, but in general, I see that having OOTB extractors, which are able
to pair users based on subjectDN or commonName looks natural and will probably work for
most of the people.
Having something very specific like "issuer;serialNumber" is IMO not generally
useful, so I would rather avoid to have the UserIdentityExtractor in Keycloak OOTB.
Marek
> Regards
> Sven-Torben
>
> -----Ursprüngliche Nachricht-----
> Von: Marek Posolda <mposolda(a)redhat.com>
> Gesendet: Freitag, 22. März 2019 10:20
> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
> keycloak-dev(a)lists.jboss.org
> Betreff: Re: AW: [keycloak-dev] X.509 User Identity Extractor -
> multiple values
>
> Thanks for the clarification
>
> TBH It seems to me that probably even (b) won't be very generally useful. Unless
for example some LDAP servers store the certificate PEM in some standard LDAP attribute of
the user? But if it's customization of LDAP schema specific to your environment to be
able to save the certificate PEM in the LDAP attribute, then my vote is to not add it.
>
> Marek
>
> On 21/03/2019 17:18, Sven-Torben Janus wrote:
>> Hi Marek,
>>
>> I agree to your thoughts on solution a). That's basically why I wanted to
discuss it here, before starting an implementation.
>> Regarding, solution b), yes that is what I thought about (with or without the
initial/final lines).
>>
>> Sven-Torben
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Marek Posolda <mposolda(a)redhat.com>
>> Gesendet: Donnerstag, 21. März 2019 10:54
>> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
>> keycloak-dev(a)lists.jboss.org
>> Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple
>> values
>>
>> Hi,
>>
>> The solution (a) looks quite specific to the environment and I don't think
that it will be useful to have this as a generic feature in Keycloak.. Solution (b) looks
like bit more generally useful, but still not 100% sure about adding it to Keycloak... For
the solution (b), are you talking about the PEM String representation of the X509
certificate, which just excludes the initial and final lines (Those with "BEGIN
CERTIFICATE" and "END CERTIFICATE" )?
>>
>> Marek
>>
>> On 21/03/2019 07:48, Sven-Torben Janus wrote:
>>> Hey all!
>>>
>>> I am currently facing a situation with a customer who wants to implement
mutual SSL / client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
>>>
>>> Now my customer uses the serial number from the certificate to identify
users. However, this is only unique in combination with the issuer of the certificate,
since my customer supports multiple CAs. The combination of both exists in their LDAP as a
single attribute where both parts are separated by a special separator character.
>>> In addition to that, the whole certificate of the user is also available in
another LDAP attribute.
>>>
>>> I currently see the following options to implement a solution for this:
>>> 1) Writing a custom Authenticator to handle that specific situation.
>>> This one would look very similar to the ootb X509 authenticator, but
>>> implements either a) or b) (see below)
>>> 2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
>>>
>>> For both approaches two different implementations come to my mind:
>>>
>>> a) Adding an additional UserIdentitiyExtractor which combines the issuer and
the serial number into a single string and use that as an identity.
>>> b) Adding an additional UserIdentitiyExtractor which returns the whole
certificate as the user's identity.
>>>
>>> We would prefer contributing to Keycloak, if such a contribution is welcome
and meaningful.
>>>
>>> Do you have any advice on which way to go here?
>>>
>>> [1]https://github.com/keycloak/keycloak/blob/master/services/src/mai
>>> n
>>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityEx
>>> t
>>> ractor.java
>>> [2]https://github.com/keycloak/keycloak/blob/master/services/src/mai
>>> n
>>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityTo
>>> M
>>> odelMapper.java#L57
>>>
>>> Regards
>>> Sven-Torben
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:26 p.m.
Hello,
another option could be to store user specific certificates as a custom
user credential (UserCredentialModel).
Cheers,
Thomas
On Mon, 15 Apr 2019 at 21:16, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi Sven-Torben,
I think that if you mark attribute as "read-only" and maybe also as
"binary attribute" with the LDAP attribute mapper, then it won't be
saved to the Keycloak DB at all. Then you don't need to care about the
length of the field in user_attribute table. Something similar is used
to save the picture in the LDAP example, which is part of
keycloak-examples distribution (the deprecated one).
This will work just with the LDAP, not with Keycloak DB-only setup. But
isn't it what you wanted to use anyway?
Marek
On 15/04/2019 20:16, Sven-Torben Janus wrote:
> Hey Marek,
>
> I need to follow up on this.
> I have made a first draft of the implementation. However, it seems that
certificates are much longer than currently supported by the value field in
the user_attribute table.
> Increasing filed length has been discussed in
https://issues.jboss.org/browse/KEYCLOAK-2382, but I could not really
figure out what the current status is? It does not seem to be implemented.
Do you see a chance for increasing the field length?
>
> Regards
> Sven-Torben
>
> -----Ursprüngliche Nachricht-----
> Von: Marek Posolda <mposolda(a)redhat.com>
> Gesendet: Montag, 25. März 2019 12:25
> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
keycloak-dev(a)lists.jboss.org
> Betreff: Re: AW: AW: [keycloak-dev] X.509 User Identity Extractor -
multiple values
>
> On 22/03/2019 11:43, Sven-Torben Janus wrote:
>> Hey Marek,
>>
>> as far as I know, RFC 2587 specifies the usercertificate attribute for
exactly that purpose. Active Directory also knows something similar (see
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e9...
).
> Thanks for pointing this. It seems it may be useful to have OOTB
UserIdentityExtractor, which will work with the MSAD "userCertificate"
> attribute. So if you have a chance to contribute this, I think it will
be fine.
>> IMHO matching the certificate against a custom LDAP attribute should
also be ok. At least that is what the custom attribute mapper for the
existing "user mapping method" is doing anyways for all the other user
identity sources (like subjectDN, common name etc.), right?
> Maybe it is thin line, but in general, I see that having OOTB
extractors, which are able to pair users based on subjectDN or commonName
looks natural and will probably work for most of the people.
> Having something very specific like "issuer;serialNumber" is IMO not
generally useful, so I would rather avoid to have the UserIdentityExtractor
in Keycloak OOTB.
>
> Marek
>> Regards
>> Sven-Torben
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Marek Posolda <mposolda(a)redhat.com>
>> Gesendet: Freitag, 22. März 2019 10:20
>> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
>> keycloak-dev(a)lists.jboss.org
>> Betreff: Re: AW: [keycloak-dev] X.509 User Identity Extractor -
>> multiple values
>>
>> Thanks for the clarification
>>
>> TBH It seems to me that probably even (b) won't be very generally
useful. Unless for example some LDAP servers store the certificate PEM in
some standard LDAP attribute of the user? But if it's customization of LDAP
schema specific to your environment to be able to save the certificate PEM
in the LDAP attribute, then my vote is to not add it.
>>
>> Marek
>>
>> On 21/03/2019 17:18, Sven-Torben Janus wrote:
>>> Hi Marek,
>>>
>>> I agree to your thoughts on solution a). That's basically why I wanted
to discuss it here, before starting an implementation.
>>> Regarding, solution b), yes that is what I thought about (with or
without the initial/final lines).
>>>
>>> Sven-Torben
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Marek Posolda <mposolda(a)redhat.com>
>>> Gesendet: Donnerstag, 21. März 2019 10:54
>>> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
>>> keycloak-dev(a)lists.jboss.org
>>> Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple
>>> values
>>>
>>> Hi,
>>>
>>> The solution (a) looks quite specific to the environment and I don't
think that it will be useful to have this as a generic feature in
Keycloak.. Solution (b) looks like bit more generally useful, but still not
100% sure about adding it to Keycloak... For the solution (b), are you
talking about the PEM String representation of the X509 certificate, which
just excludes the initial and final lines (Those with "BEGIN CERTIFICATE"
and "END CERTIFICATE" )?
>>>
>>> Marek
>>>
>>> On 21/03/2019 07:48, Sven-Torben Janus wrote:
>>>> Hey all!
>>>>
>>>> I am currently facing a situation with a customer who wants to
implement mutual SSL / client cert authentication. As I understand from the
UserIdentityExtractor[1] implementations, currently only returning a single
value is allowed, because the UserIdentityToModelMapper[2] calls toString
on the actual userIdentity object.
>>>>
>>>> Now my customer uses the serial number from the certificate to
identify users. However, this is only unique in combination with the issuer
of the certificate, since my customer supports multiple CAs. The
combination of both exists in their LDAP as a single attribute where both
parts are separated by a special separator character.
>>>> In addition to that, the whole certificate of the user is also
available in another LDAP attribute.
>>>>
>>>> I currently see the following options to implement a solution for
this:
>>>> 1) Writing a custom Authenticator to handle that specific situation.
>>>> This one would look very similar to the ootb X509 authenticator, but
>>>> implements either a) or b) (see below)
>>>> 2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
>>>>
>>>> For both approaches two different implementations come to my mind:
>>>>
>>>> a) Adding an additional UserIdentitiyExtractor which combines the
issuer and the serial number into a single string and use that as an
identity.
>>>> b) Adding an additional UserIdentitiyExtractor which returns the
whole certificate as the user's identity.
>>>>
>>>> We would prefer contributing to Keycloak, if such a contribution is
welcome and meaningful.
>>>>
>>>> Do you have any advice on which way to go here?
>>>>
>>>> [1]https://github.com/keycloak/keycloak/blob/master/services/src/mai
>>>> n
>>>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityEx
>>>> t
>>>> ractor.java
>>>> [2]https://github.com/keycloak/keycloak/blob/master/services/src/mai
>>>> n
>>>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityTo
>>>> M
>>>> odelMapper.java#L57
>>>>
>>>> Regards
>>>> Sven-Torben
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:40 a.m.
Hi Marek,
yes, that is what I wanted.
I fiddled around with these options a little, but the behavior is quite strange.
case 1) mark the attribute in the LDAP mapper read-only, "always read from ldap"
and binary:
I can see that the attribute will not be saved to the Keycloak DB.
From the OpenLDAP debug output I can also see that Keycloak queries my
LDAP with a correct query. OpenLDAP finds the user and returns it. However, Keycloak logs
a warning and fails authentication.
04:27:42,449 WARN [org.keycloak.events] (default task-62) type=LOGIN_ERROR,
realmId=test2, clientId=test, userId=null, ipAddress=192.168.80.1, error=user_not_found,
auth_method=openid-connect, auth_type=code, response_type=code,
redirect_uri=https://localhost/test/, code_id=68fda0bd-d523-4301-9e39-ad1d9a737b1c,
response_mode=fragment, username=MIIETzC<cert truncated for readability>WXI8
case 2a) mark the attribute in the LDAP mapper read-only, "always read from
ldap" and NOT binary:
Result same as in case 1.
case 2b) same as case2a, but explicitly importing users
When explicitly importing the users, Keycloak fails saving the attribute to the database
because of the length limitation.
Result same as in case 1.
case 3a) same as case 2a, but modified the table column to be of type TEXT instead of
VARCHAR(255)
Result same as in case 1.
case 3b) same as case3a, but explicitly importing users
When explicitly importing the users, Keycloak saves the attribute to the database table
user_attribute.
From the OpenLDAP debug output I can also see that Keycloak queries my
LDAP with a correct query. OpenLDAP finds the user and returns it. Authentication works as
expected.
I digged a little through the code and to me this boils down to the UserStorageManager
class which seems to find user with a custom attribute only when the attribute is
available in Keycloaks DB and not within LDAP.
Do you think so too and if yes, do you think that is a bug or by design?
Regards,
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Montag, 15. April 2019 20:43
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>; keycloak-dev(a)lists.jboss.org
Betreff: Re: AW: AW: AW: [keycloak-dev] X.509 User Identity Extractor - multiple values
Hi Sven-Torben,
I think that if you mark attribute as "read-only" and maybe also as "binary
attribute" with the LDAP attribute mapper, then it won't be saved to the Keycloak
DB at all. Then you don't need to care about the length of the field in user_attribute
table. Something similar is used to save the picture in the LDAP example, which is part of
keycloak-examples distribution (the deprecated one).
This will work just with the LDAP, not with Keycloak DB-only setup. But isn't it what
you wanted to use anyway?
Marek
On 15/04/2019 20:16, Sven-Torben Janus wrote:
Hey Marek,
I need to follow up on this.
I have made a first draft of the implementation. However, it seems that certificates are
much longer than currently supported by the value field in the user_attribute table.
Increasing filed length has been discussed in
https://issues.jboss.org/browse/KEYCLOAK-2382, but I could not really figure out what the
current status is? It does not seem to be implemented. Do you see a chance for increasing
the field length?
Regards
Sven-Torben
-----Ursprüngliche Nachricht-----
Von: Marek Posolda <mposolda(a)redhat.com>
Gesendet: Montag, 25. März 2019 12:25
An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
keycloak-dev(a)lists.jboss.org
Betreff: Re: AW: AW: [keycloak-dev] X.509 User Identity Extractor -
multiple values
On 22/03/2019 11:43, Sven-Torben Janus wrote:
> Hey Marek,
>
> as far as I know, RFC 2587 specifies the usercertificate attribute for exactly that
purpose. Active Directory also knows something similar (see
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e9...).
Thanks for pointing this. It seems it may be useful to have OOTB UserIdentityExtractor,
which will work with the MSAD "userCertificate"
attribute. So if you have a chance to contribute this, I think it will be fine.
> IMHO matching the certificate against a custom LDAP attribute should also be ok. At
least that is what the custom attribute mapper for the existing "user mapping
method" is doing anyways for all the other user identity sources (like subjectDN,
common name etc.), right?
Maybe it is thin line, but in general, I see that having OOTB extractors, which are able
to pair users based on subjectDN or commonName looks natural and will probably work for
most of the people.
Having something very specific like "issuer;serialNumber" is IMO not generally
useful, so I would rather avoid to have the UserIdentityExtractor in Keycloak OOTB.
Marek
> Regards
> Sven-Torben
>
> -----Ursprüngliche Nachricht-----
> Von: Marek Posolda <mposolda(a)redhat.com>
> Gesendet: Freitag, 22. März 2019 10:20
> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
> keycloak-dev(a)lists.jboss.org
> Betreff: Re: AW: [keycloak-dev] X.509 User Identity Extractor -
> multiple values
>
> Thanks for the clarification
>
> TBH It seems to me that probably even (b) won't be very generally useful. Unless
for example some LDAP servers store the certificate PEM in some standard LDAP attribute of
the user? But if it's customization of LDAP schema specific to your environment to be
able to save the certificate PEM in the LDAP attribute, then my vote is to not add it.
>
> Marek
>
> On 21/03/2019 17:18, Sven-Torben Janus wrote:
>> Hi Marek,
>>
>> I agree to your thoughts on solution a). That's basically why I wanted to
discuss it here, before starting an implementation.
>> Regarding, solution b), yes that is what I thought about (with or without the
initial/final lines).
>>
>> Sven-Torben
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Marek Posolda <mposolda(a)redhat.com>
>> Gesendet: Donnerstag, 21. März 2019 10:54
>> An: Sven-Torben Janus <sven-torben.janus(a)conciso.de>;
>> keycloak-dev(a)lists.jboss.org
>> Betreff: Re: [keycloak-dev] X.509 User Identity Extractor - multiple
>> values
>>
>> Hi,
>>
>> The solution (a) looks quite specific to the environment and I don't think
that it will be useful to have this as a generic feature in Keycloak.. Solution (b) looks
like bit more generally useful, but still not 100% sure about adding it to Keycloak... For
the solution (b), are you talking about the PEM String representation of the X509
certificate, which just excludes the initial and final lines (Those with "BEGIN
CERTIFICATE" and "END CERTIFICATE" )?
>>
>> Marek
>>
>> On 21/03/2019 07:48, Sven-Torben Janus wrote:
>>> Hey all!
>>>
>>> I am currently facing a situation with a customer who wants to implement
mutual SSL / client cert authentication. As I understand from the UserIdentityExtractor[1]
implementations, currently only returning a single value is allowed, because the
UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
>>>
>>> Now my customer uses the serial number from the certificate to identify
users. However, this is only unique in combination with the issuer of the certificate,
since my customer supports multiple CAs. The combination of both exists in their LDAP as a
single attribute where both parts are separated by a special separator character.
>>> In addition to that, the whole certificate of the user is also available in
another LDAP attribute.
>>>
>>> I currently see the following options to implement a solution for this:
>>> 1) Writing a custom Authenticator to handle that specific situation.
>>> This one would look very similar to the ootb X509 authenticator,
>>> but implements either a) or b) (see below)
>>> 2) Making a contribution to Keycloak and extend the list of available
UserIdentitiyExtractors.
>>>
>>> For both approaches two different implementations come to my mind:
>>>
>>> a) Adding an additional UserIdentitiyExtractor which combines the issuer and
the serial number into a single string and use that as an identity.
>>> b) Adding an additional UserIdentitiyExtractor which returns the whole
certificate as the user's identity.
>>>
>>> We would prefer contributing to Keycloak, if such a contribution is welcome
and meaningful.
>>>
>>> Do you have any advice on which way to go here?
>>>
>>> [1]https://github.com/keycloak/keycloak/blob/master/services/src/ma
>>> i
>>> n
>>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityE
>>> x
>>> t
>>> ractor.java
>>> [2]https://github.com/keycloak/keycloak/blob/master/services/src/ma
>>> i
>>> n
>>> /java/org/keycloak/authentication/authenticators/x509/UserIdentityT
>>> o
>>> M
>>> odelMapper.java#L57
>>>
>>> Regards
>>> Sven-Torben
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
2080
days inactive
2107
days old
12 comments
4 participants
participants (4)
-
Marek Posolda -
Nalyvayko, Peter -
Sven-Torben Janus -
Thomas Darimont