[keycloak-dev] X.509 Authenticator - New User Identity Source

Marek Posolda mposolda at redhat.com
Thu Aug 8 11:18:58 EDT 2019


Hi,

I've just did a review of your PR and added few minor comments. Sorry 
for the delay. Thanks for your contribution.

Marek

On 21. 07. 19 12:45, Nemanja Hiršl wrote:
> Hi,
>
> did you get a chance to look into this PR?
> If there's something wrong with code/logic, I'll be happy to rework 
> it.... Just let me know.
>
> Best regards,
> Nemanja
>
> On 7/8/19 2:44 PM, Nemanja Hiršl wrote:
>> Hi Marek,
>>
>> After having some troubles in resolving merge conflicts, I've finally 
>> filed new PR: https://github.com/keycloak/keycloak/pull/6153
>> Please take a look when you have time.
>> Thanks.
>>
>> Best regards,
>> Nemanja
>>
>> On 7/3/19 10:41 AM, Marek Posolda wrote:
>>> Thanks!
>>>
>>> Marek
>>>
>>> On 03/07/2019 10:34, Nemanja Hiršl wrote:
>>>> On 7/3/19 8:16 AM, Marek Posolda wrote:
>>>>> On 03/07/2019 00:20, Nalyvayko, Peter wrote:
>>>>>> Hi Marek,
>>>>>>
>>>>>>
>>>>>> I believe in the original version the regular expression was the 
>>>>>> only mapper provided out of the box  to parse the unique identity 
>>>>>> from the subject's DN. Adding the x500 mappers (email, etc.) came 
>>>>>> up, if I recall correctly, during the PR discussion, but I could 
>>>>>> be wrong.
>>>>>
>>>>> Cool, Thanks for clarifying.
>>>>>
>>>>> I think that when we add "Issuer's DN + serial number" 
>>>>> combination, we can remove "Issuer's email" and "Issuer's Common 
>>>>> Name" .
>>>>>
>>>>
>>>> Thanks.
>>>> I'll try to prepare PR in a next couple of days to remove "Issuer's 
>>>> email", "Issuer's Common Name" and add "Issuer's DN and serial number"
>>>>
>>>>
>>>> Best regards,
>>>> Nemanja
>>>>
>>>>> Marek
>>>>>
>>>>>>
>>>>>>>   None of provided mappings can guarantee uniqueness.
>>>>>> For on-premise deployments having a simple mapping (email from 
>>>>>> x509 cert) may be sufficient as long as there is a single trusted 
>>>>>> CA.
>>>>>>
>>>>>>>   I would vote also for remove "Issuer's email" and "Issuer's 
>>>>>>> Common Name"  as I can't imagine that those can be ever used to 
>>>>>>> uniquely identify subject and I doubt that someone is using this 
>>>>>>> in production for uniquely identify user?
>>>>>> +1 I am not aware of any of our clients using the issuer's mappers.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Peter
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: keycloak-dev-bounces at lists.jboss.org 
>>>>>> <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Marek Posolda
>>>>>> Sent: Tuesday, July 2, 2019 12:38 PM
>>>>>> To: Nemanja Hiršl <nemanja.hirsl at netsetglobal.rs>; 
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User 
>>>>>> Identity Source
>>>>>>
>>>>>>
>>>>>> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Current implementation of X.509 Authenticator uses a number of
>>>>>>> different mappings of a certificate to user identity.
>>>>>>> None of provided mappings can guarantee uniqueness. It is up to 
>>>>>>> CA to
>>>>>>> choose which fields to include in SubjectDN and SAN and there 
>>>>>>> might be
>>>>>>> some unique data. In these cases we can use provided mappers to
>>>>>>> identify users. However, if there's a need to support certificates
>>>>>>> from different CAs, with unrelated usage of SubjectDN and SAN 
>>>>>>> fields
>>>>>>> those mappers are not sufficient.
>>>>>>>
>>>>>>> One way to uniquely identify user is to use certificate thumbprint.
>>>>>>> For the solution I'm working on, we have implemented 
>>>>>>> SHA256-Thumbprint
>>>>>>> mapper and it is giving us expected results.
>>>>>>>
>>>>>>> Do you think sha256 thumbprint mapper would be a useful addition to
>>>>>>> already existing mappers?
>>>>>>> Should I prepare appropriate PR?
>>>>>>>
>>>>>>> The other approach might be combination of serial number and 
>>>>>>> issuer.
>>>>>>> According to RFC 5280 the issuer name and serial number identify a
>>>>>>> unique certificate.This is something I haven't tried, but would 
>>>>>>> like
>>>>>>> to hear your opinion.
>>>>>> +1 for the serial number + Issuer DN.
>>>>>>
>>>>>> I would vote also for remove "Issuer's email" and "Issuer's 
>>>>>> Common Name"
>>>>>> as I can't imagine that those can be ever used to uniquely 
>>>>>> identify subject and I doubt that someone is using this in 
>>>>>> production for uniquely identify user?
>>>>>>
>>>>>> Adding Peter Nalyvayko to CC as I believe he was the original 
>>>>>> author who added those. Peter, feel free to correct me if I am 
>>>>>> wrong :)
>>>>>>
>>>>>> Thanks,
>>>>>> Marek
>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> References:
>>>>>>> 1. There's a nice explanation on stackoveroflow of what can be 
>>>>>>> used to
>>>>>>> uniquely identify users:
>>>>>>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client- 
>>>>>>>
>>>>>>> certificate-to-use-when-uniquely-identifying-users
>>>>>>> 2. There's also a discussion here:
>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-9610
>>>>>>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>>>>>>
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Nemanja
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



More information about the keycloak-dev mailing list