Hey Takashi,
Thanks a lot for the interest in contributing Keycloak!
Sebi and I are working on this topic currently. We plan to reuse some bits
of the User x509 Authentication and bring them to the client. We planned
the implementation for this sprint, so it *should* be ready in ~3 weeks.
More comments inlined.
Thanks,
Sebastian
On Thu, Jul 26, 2018 at 1:23 AM 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws(a)hitachi.com> wrote:
We also have additional requirement - allow to authenticate client without
"client_id" being sent (we need to extract it from the Certificate obtained
during TLS Handshake). This is required for OpenShift integration.
If no one does it, I would like to try to implement this feature. What do
you think about it ?
Also, In
https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2,
two types of OAuth 2.0 Mutual TLS Client Authentication are defined, for
PKI and for Self-Signed Certificate.
I would be happy if you who are interested in this feature tell me which
you like better.
As far as I know, we won't be touching self-registering clients. So maybe
once we are done (let's assume that will happen in ~3 weeks), you could
take it over and look into that?
BTW, as for now, we will be implementing everything in this branch:
https://github.com/sebastienblanc/keycloak/tree/client-x509 (currently, it
contains an empty Authenticator but we will be adding bits and pieces to
it).
Best regards,
Takashi Norimatsu
Hitachi Ltd.,
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev