[keycloak-dev] Certificate subject DN is provider dependent

Thomas Darimont thomas.darimont at googlemail.com
Tue Feb 12 06:51:36 EST 2019


Hi Sebastian,

how about Keycloak would introduce an option for this authenticator like:
"Use canonical principal extraction" on/off with default "off",
meaning the default behavior stays the same. "on" would then mean to use
the "canonical" option for extracting the subject as you suggested.

Cheers,
Thomas

Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <
Sebastian.Loesch at governikus.de>:

> Hello Keycloak developers,
>
> I am currently working on configuring keycloak for X.509 certificate login.
> We store the whole user certificate's subject DN as user attribute. During
> the login we match the authentication certificate's subjectDN against the
> value stored in the user attributes.
> The subject DN is determined executing:
> cert.getSubjectDN().getName()
>
> Here we have a problem regarding the subject DN order. We realized that
> the subject DN order is security provider specific:
>
> ·         Using SUN security provider we get a subject DN like:
> "EMAILADDRESS=bjensen at example.com, CN=Ms. Barbara J Jensen III, O=
> example.com, ST=California, C=US"
>
> ·         Using BouncyCastle security provider we get a subject DN like:
> "C=US,ST=California,O=example.com,CN=Ms. Barbara J Jensen III,E=
> bjensen at example.com"
> This is obviously a problem.
> Does anybody else ran into the same problem?
>
> In my opinion it would be better to use:
>
> cert.getSubjectX500Principal().getName(X500Principal.CANONICAL)
> to determine the subject DN, as the result is provider independent.
> But this would be an backward incompatible change in Method
>
> org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder.fromConfig()
>
> What is your opinion?
>
> Best regards
> Sebastian
>
> --
> Solution Engineering
> --
> Governikus GmbH & Co. KG
> Hochschulring 4
> 28359 Bremen, Germany
>
> Phone: +49 421 204 95 - 28
> Fax: +49 421 204 95 - 11
> E-Mail: Sebastian.Loesch at governikus.de<mailto:
> Sebastian.Loesch at governikus.de>
> www.governikus.de<http://www.governikus.de/>
> --
> Governikus GmbH & Co. KG
> Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
> 22041
> Geschäftsführer: Dr. Stephan Klein
>
> Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
> Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756
>
>
> ****************************************************
> Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
> Hochschulring 4, 28359 Bremen
>
> Veranstaltungsvorschau: Besuchen Sie uns...
> Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<
> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
> >
> Digitaler Staat | 02. + 03.04.2019 | Berlin<
> https://www.digitaler-staat.org/>
> 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<
> https://www.zukunftskongress.info/de>
> Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<https://www.bw-4-0.de/
> >
>
> [cid:image8a82cf.JPG at 26f9b88d.448c29be]<
> http://www.jahrestagung.governikus.de/>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list