[keycloak-dev] Requirements to Elytron for Client 2-way SSL authentication

Stian Thorgersen stian at redhat.com
Thu Jul 16 08:57:58 EDT 2015 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Thursday, 16 July, 2015 2:40:11 PM
> Subject: Re: [keycloak-dev] Requirements to Elytron for Client 2-way SSL	authentication
> 
> 
> 
> On 7/16/2015 4:20 AM, Marek Posolda wrote:
> >> I'm not sure we really need to have any special integration with
> >> Elytron.  We just need to make sure that it can support certificate
> >> chains the way we want to support it.  I'm pretty sure EAP 6.x can
> >> support what we want, read on...
> >>
> >> The certficate chain is available from the HttpServletRequest as per the
> >> spec.  I'm not exactly sure on the specifics, but all you need is one
> >> "root" certificate in the web server's trust store.  Then you could
> >> conceivably create a trusted certificate chain as follows:
> >>
> >> 1) Organization root certificate.
> >>
> >> 2) Root cert signs Realm cert.
> >>
> >> 3) Realm cert signs client cert.
> >>
> >> Following me?  My guess is that it would be really easy to issue our own
> >> client certs and that we could have a Required Action that helped set
> >> this up.
> >>
> > Yeah, so if we can just put root certificate in truststore at startup,
> > it's easy. The issue might be if we want root CA to be added to
> > truststore at "runtime" as Stian mentioned in other mail. Will try to
> > doublecheck if it's possible.
> >
> 
> I don't know how well cert chains are supported.  I guess you'll find out :)
> 
> 
> For client auth, shouldn't we just support the best practices and
> whatever the spec requires?  2-way SSL is a pain in the ass, wouldn't
> you be better off with PIN+OTP?  Much easier to set up and manage.

I was thinking 2-way ssl would be easier - ssl is required in either case so a client has to have that enabled, why not utilize that to also authenticate the client?

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list