[keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication

Sebastian Laskawiec slaskawi at redhat.com
Thu Jul 26 04:23:45 EDT 2018


Hey Takashi,

Thanks a lot for the interest in contributing Keycloak!

Sebi and I are working on this topic currently. We plan to reuse some bits
of the User x509 Authentication and bring them to the client. We planned
the implementation for this sprint, so it *should* be ready in ~3 weeks.

More comments inlined.

Thanks,
Sebastian

On Thu, Jul 26, 2018 at 1:23 AM 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:

> Hello,
>
> As for mentioned in https://issues.jboss.org/browse/KEYCLOAK-7512 and
> https://issues.jboss.org/browse/KEYCLOAK-7635, Is there anyone who
> currently implements OAuth 2.0 Mutual TLS Client Authentication defined in
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2 ?
>

We also have additional requirement - allow to authenticate client without
"client_id" being sent (we need to extract it from the Certificate obtained
during TLS Handshake). This is required for OpenShift integration.


>
> If no one does it, I would like to try to implement this feature. What do
> you think about it ?
>
> Also, In https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2,
> two types of OAuth 2.0 Mutual TLS Client Authentication are defined, for
> PKI and for Self-Signed Certificate.
>
> I would be happy if you who are interested in this feature tell me which
> you like better.
>

As far as I know, we won't be touching self-registering clients. So maybe
once we are done (let's assume that will happen in ~3 weeks), you could
take it over and look into that?

BTW, as for now, we will be implementing everything in this branch:
https://github.com/sebastienblanc/keycloak/tree/client-x509 (currently, it
contains an empty Authenticator but we will be adding bits and pieces to
it).


>
> Best regards,
> Takashi Norimatsu
> Hitachi Ltd.,
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list