[keycloak-dev] Pairwise Subject Identifier
Marek Posolda
mposolda at redhat.com
Thu Aug 11 11:15:18 EDT 2016
Sorry for late response.
We have JIRA created for that. You can possibly add yourself as a
watcher. See https://issues.jboss.org/browse/KEYCLOAK-3422
Maybe an alternative for you is to use protocolMappers. That should
allow you to "construct" the token for particular client exactly how you
want and also use the different value for "sub" claim.
Another possibility is, to handle this on adapter side. We already have
an adapter option "principal-attribute", which specifies that
application will see the different attribute instead of "sub" as
subject. For example when in appllication you call
"httpServletRequest.getRemoteUser()" it will return "john" instead of
"123456-unique-johns-uuid" . See
https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.1/topics/oidc/java/java-adapter-config.html
Hopefully some of the options can be useful for you?
Marek
On 02/08/16 14:13, Martin Hardselius wrote:
> Me and my team are working towards getting Keycloak, customized for
> our needs, into production but we've identified the need for Pairwise
> Subject Identifiers as we don't want to expose internal user ids.
>
> Right now, the only subject_types_supported seems to be "public". Are
> there any near-future plans to include "pairwise"? Can we pitch in
> with a PR to make this happen as soon as possible?
>
> Links to relevant sections in the spec:
>
> http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
> http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
>
> --
> Martin
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160811/005911ee/attachment.html
More information about the keycloak-dev
mailing list