[keycloak-dev] Pairwise Subject Identifier

Martin Hardselius martin.hardselius at gmail.com
Wed Aug 17 09:59:35 EDT 2016


I'm going to bump this, as I want to continue the discussion/provide some
input.

Does it make sense to support more than type of pairwise subject identifier
generator? E.g through a PairwiseSubGeneratorSpi?

Let's say I want to generate the pairwise sub as a salted hash: sub =
SHA-256( sector_identifier || local_sub || salt )
To me, it makes sense to allow for per-client salts. These salts should
probably be generated and persisted during client creation. Thoughts?

On Fri, 12 Aug 2016 at 09:57 Martin Hardselius <martin.hardselius at gmail.com>
wrote:

> Thank you for your response. Did not see that ticket before. Great news!
>
> I looked into using protocol mappers to achieve this, and while it would
> work I'm worried that once KEYCLOAK-3422 has been resolved and included in
> a proper release we would run into migration issues if the method used for
> calculating "native" pairwise subs is different from what we implement.
> Clients could loose / be forced to re-register all their users if we decide
> to switch. The example methods in the spec are just that. Examples. Maybe
> the method/alg for computing the pairwise sub should be pluggable?
>
> --
> Martin
>
> On Thu, 11 Aug 2016 at 17:15 Marek Posolda <mposolda at redhat.com> wrote:
>
>> Sorry for late response.
>>
>> We have JIRA created for that. You can possibly add yourself as a
>> watcher. See https://issues.jboss.org/browse/KEYCLOAK-3422
>>
>> Maybe an alternative for you is to use protocolMappers. That should allow
>> you to "construct" the token for particular client exactly how you want and
>> also use the different value for "sub" claim.
>>
>> Another possibility is, to handle this on adapter side. We already have
>> an adapter option "principal-attribute", which specifies that application
>> will see the different attribute instead of "sub" as subject. For example
>> when in appllication you call "httpServletRequest.getRemoteUser()" it will
>> return "john" instead of "123456-unique-johns-uuid" . See
>> https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.1/topics/oidc/java/java-adapter-config.html
>>
>> Hopefully some of the options can be useful for you?
>>
>> Marek
>>
>>
>> On 02/08/16 14:13, Martin Hardselius wrote:
>>
>> Me and my team are working towards getting Keycloak, customized for our
>> needs, into production but we've identified the need for Pairwise Subject
>> Identifiers as we don't want to expose internal user ids.
>>
>> Right now, the only subject_types_supported seems to be "public". Are
>> there any near-future plans to include "pairwise"? Can we pitch in with a
>> PR to make this happen as soon as possible?
>>
>> Links to relevant sections in the spec:
>>
>> http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
>> http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
>>
>> --
>> Martin
>>
>>
>> _______________________________________________
>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160817/1b7ba765/attachment-0001.html 


More information about the keycloak-dev mailing list