[keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication
Sebastien Blanc
sblanc at redhat.com
Fri Jul 27 03:30:43 EDT 2018
Hi Takashi !
You can even help before if you want to :)
The ticket is here : https://issues.jboss.org/browse/KEYCLOAK-7635
I created an "empty" X509ClientAuthenticator" branch here :
https://github.com/sebastienblanc/keycloak/tree/client-x509
And I'm investigating what we can reuse from this pacakge :
https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/authentication/authenticators/x509
Any feedback, help, advise is welcome !
Sebi
On Fri, Jul 27, 2018 at 3:22 AM, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:
> Hello Sebastian,
>
> I'm looking forward to your work, and I would be happy if I could make
> some contribution after finishing your work.
>
> Best regards,
> Takashi Norimatsu
> Hitachi Ltd.,
>
> ----------
> From: Sebastian Laskawiec <slaskawi at redhat.com>
> Sent: Thursday, July 26, 2018 5:24 PM
> To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws at hitachi.com>
> Cc: keycloak-dev at lists.jboss.org
> Subject: [!]Re: [keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication
>
> Hey Takashi,
>
> Thanks a lot for the interest in contributing Keycloak!
>
> Sebi and I are working on this topic currently. We plan to reuse some bits
> of the User x509 Authentication and bring them to the client. We planned
> the implementation for this sprint, so it *should* be ready in ~3 weeks.
>
> More comments inlined.
>
> Thanks,
> Sebastian
> On Thu, Jul 26, 2018 at 1:23 AM 乗松隆志 / NORIMATSU,TAKASHI <
> takashi.norimatsu.ws at hitachi.com> wrote:
> Hello,
>
> As for mentioned in https://issues.jboss.org/browse/KEYCLOAK-7512 and
> https://issues.jboss.org/browse/KEYCLOAK-7635, Is there anyone who
> currently implements OAuth 2.0 Mutual TLS Client Authentication defined in
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2 ?
>
> We also have additional requirement - allow to authenticate client without
> "client_id" being sent (we need to extract it from the Certificate obtained
> during TLS Handshake). This is required for OpenShift integration.
>
>
> If no one does it, I would like to try to implement this feature. What do
> you think about it ?
>
> Also, In https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2,
> two types of OAuth 2.0 Mutual TLS Client Authentication are defined, for
> PKI and for Self-Signed Certificate.
>
> I would be happy if you who are interested in this feature tell me which
> you like better.
>
> As far as I know, we won't be touching self-registering clients. So maybe
> once we are done (let's assume that will happen in ~3 weeks), you could
> take it over and look into that?
>
> BTW, as for now, we will be implementing everything in this branch:
> https://github.com/sebastienblanc/keycloak/tree/client-x509 (currently,
> it contains an empty Authenticator but we will be adding bits and pieces to
> it).
>
>
> Best regards,
> Takashi Norimatsu
> Hitachi Ltd.,
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list