[keycloak-dev] X.509 Authenticator - New User Identity Source

Fri Aug 9 07:51:37 EDT 2019

Thanks, Marek,

No worries.
I'll update this PR according to comments and prepare new documentation 
PR sometime next week.

Best regards,
Nemanja

On 8/8/19 5:18 PM, Marek Posolda wrote:
> Hi,
>
> I've just did a review of your PR and added few minor comments. Sorry 
> for the delay. Thanks for your contribution.
>
> Marek
>
> On 21. 07. 19 12:45, Nemanja Hiršl wrote:
>> Hi,
>>
>> did you get a chance to look into this PR?
>> If there's something wrong with code/logic, I'll be happy to rework 
>> it.... Just let me know.
>>
>> Best regards,
>> Nemanja
>>
>> On 7/8/19 2:44 PM, Nemanja Hiršl wrote:
>>> Hi Marek,
>>>
>>> After having some troubles in resolving merge conflicts, I've 
>>> finally filed new PR: https://github.com/keycloak/keycloak/pull/6153
>>> Please take a look when you have time.
>>> Thanks.
>>>
>>> Best regards,
>>> Nemanja
>>>
>>> On 7/3/19 10:41 AM, Marek Posolda wrote:
>>>> Thanks!
>>>>
>>>> Marek
>>>>
>>>> On 03/07/2019 10:34, Nemanja Hiršl wrote:
>>>>> On 7/3/19 8:16 AM, Marek Posolda wrote:
>>>>>> On 03/07/2019 00:20, Nalyvayko, Peter wrote:
>>>>>>> Hi Marek,
>>>>>>>
>>>>>>>
>>>>>>> I believe in the original version the regular expression was the 
>>>>>>> only mapper provided out of the box  to parse the unique 
>>>>>>> identity from the subject's DN. Adding the x500 mappers (email, 
>>>>>>> etc.) came up, if I recall correctly, during the PR discussion, 
>>>>>>> but I could be wrong.
>>>>>>
>>>>>> Cool, Thanks for clarifying.
>>>>>>
>>>>>> I think that when we add "Issuer's DN + serial number" 
>>>>>> combination, we can remove "Issuer's email" and "Issuer's Common 
>>>>>> Name" .
>>>>>>
>>>>>
>>>>> Thanks.
>>>>> I'll try to prepare PR in a next couple of days to remove 
>>>>> "Issuer's email", "Issuer's Common Name" and add "Issuer's DN and 
>>>>> serial number"
>>>>>
>>>>>
>>>>> Best regards,
>>>>> Nemanja
>>>>>
>>>>>> Marek
>>>>>>
>>>>>>>
>>>>>>>>   None of provided mappings can guarantee uniqueness.
>>>>>>> For on-premise deployments having a simple mapping (email from 
>>>>>>> x509 cert) may be sufficient as long as there is a single 
>>>>>>> trusted CA.
>>>>>>>
>>>>>>>>   I would vote also for remove "Issuer's email" and "Issuer's 
>>>>>>>> Common Name"  as I can't imagine that those can be ever used to 
>>>>>>>> uniquely identify subject and I doubt that someone is using 
>>>>>>>> this in production for uniquely identify user?
>>>>>>> +1 I am not aware of any of our clients using the issuer's mappers.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Peter
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: keycloak-dev-bounces at lists.jboss.org 
>>>>>>> <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Marek Posolda
>>>>>>> Sent: Tuesday, July 2, 2019 12:38 PM
>>>>>>> To: Nemanja Hiršl <nemanja.hirsl at netsetglobal.rs>; 
>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User 
>>>>>>> Identity Source
>>>>>>>
>>>>>>>
>>>>>>> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Current implementation of X.509 Authenticator uses a number of
>>>>>>>> different mappings of a certificate to user identity.
>>>>>>>> None of provided mappings can guarantee uniqueness. It is up to 
>>>>>>>> CA to
>>>>>>>> choose which fields to include in SubjectDN and SAN and there 
>>>>>>>> might be
>>>>>>>> some unique data. In these cases we can use provided mappers to
>>>>>>>> identify users. However, if there's a need to support certificates
>>>>>>>> from different CAs, with unrelated usage of SubjectDN and SAN 
>>>>>>>> fields
>>>>>>>> those mappers are not sufficient.
>>>>>>>>
>>>>>>>> One way to uniquely identify user is to use certificate 
>>>>>>>> thumbprint.
>>>>>>>> For the solution I'm working on, we have implemented 
>>>>>>>> SHA256-Thumbprint
>>>>>>>> mapper and it is giving us expected results.
>>>>>>>>
>>>>>>>> Do you think sha256 thumbprint mapper would be a useful 
>>>>>>>> addition to
>>>>>>>> already existing mappers?
>>>>>>>> Should I prepare appropriate PR?
>>>>>>>>
>>>>>>>> The other approach might be combination of serial number and 
>>>>>>>> issuer.
>>>>>>>> According to RFC 5280 the issuer name and serial number identify a
>>>>>>>> unique certificate.This is something I haven't tried, but would 
>>>>>>>> like
>>>>>>>> to hear your opinion.
>>>>>>> +1 for the serial number + Issuer DN.
>>>>>>>
>>>>>>> I would vote also for remove "Issuer's email" and "Issuer's 
>>>>>>> Common Name"
>>>>>>> as I can't imagine that those can be ever used to uniquely 
>>>>>>> identify subject and I doubt that someone is using this in 
>>>>>>> production for uniquely identify user?
>>>>>>>
>>>>>>> Adding Peter Nalyvayko to CC as I believe he was the original 
>>>>>>> author who added those. Peter, feel free to correct me if I am 
>>>>>>> wrong :)
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Marek
>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> References:
>>>>>>>> 1. There's a nice explanation on stackoveroflow of what can be 
>>>>>>>> used to
>>>>>>>> uniquely identify users:
>>>>>>>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client- 
>>>>>>>>
>>>>>>>> certificate-to-use-when-uniquely-identifying-users
>>>>>>>> 2. There's also a discussion here:
>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-9610
>>>>>>>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>>>>>>>
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Nemanja
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>