[keycloak-dev] Certificate subject DN is provider dependent

Lösch, Sebastian Sebastian.Loesch at governikus.de
Tue Feb 12 07:00:26 EST 2019

Hello Thomas,


sounds good. Would you be happy, if I provide a pull request fort that?  It seem’s not a big thing to implement.


Best regards,



Von: Thomas Darimont <thomas.darimont at googlemail.com> 
Gesendet: Dienstag, 12. Februar 2019 12:52
An: Lösch, Sebastian <Sebastian.Loesch at governikus.de>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Betreff: Re: [keycloak-dev] Certificate subject DN is provider dependent


Hi Sebastian,


how about Keycloak would introduce an option for this authenticator like: "Use canonical principal extraction" on/off with default "off", 

meaning the default behavior stays the same. "on" would then mean to use the "canonical" option for extracting the subject as you suggested.





Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <Sebastian.Loesch at governikus.de <mailto:Sebastian.Loesch at governikus.de> >:

Hello Keycloak developers,

I am currently working on configuring keycloak for X.509 certificate login.
We store the whole user certificate's subject DN as user attribute. During the login we match the authentication certificate's subjectDN against the value stored in the user attributes.
The subject DN is determined executing:

Here we have a problem regarding the subject DN order. We realized that the subject DN order is security provider specific:

·         Using SUN security provider we get a subject DN like:
"EMAILADDRESS=bjensen at example.com <mailto:bjensen at example.com> , CN=Ms. Barbara J Jensen III, O=example.com <http://example.com> , ST=California, C=US"

·         Using BouncyCastle security provider we get a subject DN like:
"C=US,ST=California,O=example.com <http://example.com> ,CN=Ms. Barbara J Jensen III,E=bjensen at example.com <mailto:bjensen at example.com> "
This is obviously a problem.
Does anybody else ran into the same problem?

In my opinion it would be better to use:

to determine the subject DN, as the result is provider independent.
But this would be an backward incompatible change in Method

What is your opinion?

Best regards

Solution Engineering
Governikus GmbH & Co. KG
Hochschulring 4
28359 Bremen, Germany

Phone: +49 421 204 95 - 28
Fax: +49 421 204 95 - 11
E-Mail: Sebastian.Loesch at governikus.de <mailto:Sebastian.Loesch at governikus.de> <mailto:Sebastian.Loesch at governikus.de <mailto:Sebastian.Loesch at governikus.de> >
www.governikus.de <http://www.governikus.de> <http://www.governikus.de/>
Governikus GmbH & Co. KG
Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
Geschäftsführer: Dr. Stephan Klein

Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756

Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift: Hochschulring 4, 28359 Bremen

Veranstaltungsvorschau: Besuchen Sie uns...
Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx>
Digitaler Staat | 02. + 03.04.2019 | Berlin<https://www.digitaler-staat.org/>
7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<https://www.zukunftskongress.info/de>
Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<https://www.bw-4-0.de/>

[cid:image8a82cf.JPG at 26f9b88d.448c29be]<http://www.jahrestagung.governikus.de/>
keycloak-dev mailing list
keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org> 

More information about the keycloak-dev mailing list