[keycloak-dev] Certificate subject DN is provider dependent
Lösch, Sebastian
Sebastian.Loesch at governikus.de
Tue Feb 12 08:57:06 EST 2019
Hello developer,
I opened a new issue for Keycloak: https://issues.jboss.org/browse/KEYCLOAK-9554
and provided a pull request: https://github.com/keycloak/keycloak/pull/5878
Best regards,
Sebastian
Von: Pedro Igor Silva <psilva at redhat.com>
Gesendet: Dienstag, 12. Februar 2019 13:24
An: Thomas Darimont <thomas.darimont at googlemail.com>
Cc: Lösch, Sebastian <Sebastian.Loesch at governikus.de>; keycloak-dev <keycloak-dev at lists.jboss.org>
Betreff: Re: [keycloak-dev] Certificate subject DN is provider dependent
Btw, we also support extracting email using a subject alt name extension. Maybe we could safely use CANONICAL (which seems to be more aligned with the specs) and tell people to use this extractor if they want to use email address from certificates.
On Tue, Feb 12, 2019 at 10:19 AM Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>> wrote:
IIRC, email address should be included/parsed as a subject alternative name extension. BouncyCastle seems doing it right.
What is the JDK version being used?
On Tue, Feb 12, 2019 at 9:57 AM Thomas Darimont <thomas.darimont at googlemail.com<mailto:thomas.darimont at googlemail.com>> wrote:
Hi Sebastian,
how about Keycloak would introduce an option for this authenticator like:
"Use canonical principal extraction" on/off with default "off",
meaning the default behavior stays the same. "on" would then mean to use
the "canonical" option for extracting the subject as you suggested.
Cheers,
Thomas
Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <
Sebastian.Loesch at governikus.de<mailto:Sebastian.Loesch at governikus.de>>:
> Hello Keycloak developers,
>
> I am currently working on configuring keycloak for X.509 certificate login.
> We store the whole user certificate's subject DN as user attribute. During
> the login we match the authentication certificate's subjectDN against the
> value stored in the user attributes.
> The subject DN is determined executing:
> cert.getSubjectDN().getName()
>
> Here we have a problem regarding the subject DN order. We realized that
> the subject DN order is security provider specific:
>
> · Using SUN security provider we get a subject DN like:
> "EMAILADDRESS=bjensen at example.com<mailto:bjensen at example.com>, CN=Ms. Barbara J Jensen III, O=
> example.com<http://example.com>, ST=California, C=US"
>
> · Using BouncyCastle security provider we get a subject DN like:
> "C=US,ST=California,O=example.com<http://example.com>,CN=Ms. Barbara J Jensen III,E=
> bjensen at example.com<mailto:bjensen at example.com>"
> This is obviously a problem.
> Does anybody else ran into the same problem?
>
> In my opinion it would be better to use:
>
> cert.getSubjectX500Principal().getName(X500Principal.CANONICAL)
> to determine the subject DN, as the result is provider independent.
> But this would be an backward incompatible change in Method
>
> org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder.fromConfig()
>
> What is your opinion?
>
> Best regards
> Sebastian
>
> --
> Solution Engineering
> --
> Governikus GmbH & Co. KG
> Hochschulring 4
> 28359 Bremen, Germany
>
> Phone: +49 421 204 95 - 28
> Fax: +49 421 204 95 - 11
> E-Mail: Sebastian.Loesch at governikus.de<mailto:Sebastian.Loesch at governikus.de><mailto:
> Sebastian.Loesch at governikus.de<mailto:Sebastian.Loesch at governikus.de>>
> www.governikus.de<http://www.governikus.de><http://www.governikus.de/>
> --
> Governikus GmbH & Co. KG
> Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
> 22041
> Geschäftsführer: Dr. Stephan Klein
>
> Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
> Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756
>
>
> ****************************************************
> Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
> Hochschulring 4, 28359 Bremen
>
> Veranstaltungsvorschau: Besuchen Sie uns...
> Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<
> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
> >
> Digitaler Staat | 02. + 03.04.2019 | Berlin<
> https://www.digitaler-staat.org/>
> 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<
> https://www.zukunftskongress.info/de>
> Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<https://www.bw-4-0.de/
> >
>
> [cid:image8a82cf.JPG at 26f9b88d.448c29be]<
> http://www.jahrestagung.governikus.de/>
>
****************************************************
Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift: Hochschulring 4, 28359 Bremen
Veranstaltungsvorschau: Besuchen Sie uns...
Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx>
Digitaler Staat | 02. + 03.04.2019 | Berlin<https://www.digitaler-staat.org/>
7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<https://www.zukunftskongress.info/de>
Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<https://www.bw-4-0.de/>
[cid:image71d7fc.JPG at 4dd78026.4b9f719f]<http://www.jahrestagung.governikus.de/>
_______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list