[keycloak-dev] Certificate subject DN is provider dependent
Pedro Igor Silva
psilva at redhat.com
Tue Feb 12 09:27:39 EST 2019
Thanks. I'm still not sure about that new CANONICAL parameter. Added a
comment to your PR.
On Tue, Feb 12, 2019 at 11:57 AM Lösch, Sebastian <
Sebastian.Loesch at governikus.de> wrote:
> Hello developer,
>
>
>
> I opened a new issue for Keycloak:
> https://issues.jboss.org/browse/KEYCLOAK-9554
>
> and provided a pull request:
> https://github.com/keycloak/keycloak/pull/5878
>
>
>
> Best regards,
>
> Sebastian
>
>
>
>
>
> *Von:* Pedro Igor Silva <psilva at redhat.com>
> *Gesendet:* Dienstag, 12. Februar 2019 13:24
> *An:* Thomas Darimont <thomas.darimont at googlemail.com>
> *Cc:* Lösch, Sebastian <Sebastian.Loesch at governikus.de>; keycloak-dev <
> keycloak-dev at lists.jboss.org>
> *Betreff:* Re: [keycloak-dev] Certificate subject DN is provider dependent
>
>
>
> Btw, we also support extracting email using a subject alt name extension.
> Maybe we could safely use CANONICAL (which seems to be more aligned with
> the specs) and tell people to use this extractor if they want to use email
> address from certificates.
>
>
>
> On Tue, Feb 12, 2019 at 10:19 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
> IIRC, email address should be included/parsed as a subject alternative
> name extension. BouncyCastle seems doing it right.
>
>
>
> What is the JDK version being used?
>
>
>
> On Tue, Feb 12, 2019 at 9:57 AM Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
> Hi Sebastian,
>
> how about Keycloak would introduce an option for this authenticator like:
> "Use canonical principal extraction" on/off with default "off",
> meaning the default behavior stays the same. "on" would then mean to use
> the "canonical" option for extracting the subject as you suggested.
>
> Cheers,
> Thomas
>
> Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <
> Sebastian.Loesch at governikus.de>:
>
> > Hello Keycloak developers,
> >
> > I am currently working on configuring keycloak for X.509 certificate
> login.
> > We store the whole user certificate's subject DN as user attribute.
> During
> > the login we match the authentication certificate's subjectDN against the
> > value stored in the user attributes.
> > The subject DN is determined executing:
> > cert.getSubjectDN().getName()
> >
> > Here we have a problem regarding the subject DN order. We realized that
> > the subject DN order is security provider specific:
> >
> > · Using SUN security provider we get a subject DN like:
> > "EMAILADDRESS=bjensen at example.com, CN=Ms. Barbara J Jensen III, O=
> > example.com, ST=California, C=US"
> >
> > · Using BouncyCastle security provider we get a subject DN like:
> > "C=US,ST=California,O=example.com,CN=Ms. Barbara J Jensen III,E=
> > bjensen at example.com"
> > This is obviously a problem.
> > Does anybody else ran into the same problem?
> >
> > In my opinion it would be better to use:
> >
> > cert.getSubjectX500Principal().getName(X500Principal.CANONICAL)
> > to determine the subject DN, as the result is provider independent.
> > But this would be an backward incompatible change in Method
> >
> >
> org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder.fromConfig()
> >
> > What is your opinion?
> >
> > Best regards
> > Sebastian
> >
> > --
> > Solution Engineering
> > --
> > Governikus GmbH & Co. KG
> > Hochschulring 4
> > 28359 Bremen, Germany
> >
> > Phone: +49 421 204 95 - 28
> > Fax: +49 421 204 95 - 11
> > E-Mail: Sebastian.Loesch at governikus.de<mailto:
> > Sebastian.Loesch at governikus.de>
> > www.governikus.de<http://www.governikus.de/>
> > --
> > Governikus GmbH & Co. KG
> > Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
> > 22041
> > Geschäftsführer: Dr. Stephan Klein
> >
> > Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
> > Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756
> >
> >
> > ****************************************************
> > Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
> > Hochschulring 4, 28359 Bremen
> >
> > Veranstaltungsvorschau: Besuchen Sie uns...
> > Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<
> >
> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
> > >
> > Digitaler Staat | 02. + 03.04.2019 | Berlin<
> > https://www.digitaler-staat.org/>
> > 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<
> > https://www.zukunftskongress.info/de>
> > Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<
> https://www.bw-4-0.de/
> > >
> >
> > [cid:image8a82cf.JPG at 26f9b88d.448c29be]<
> > http://www.jahrestagung.governikus.de/>
> >
>
>
> ****************************************************
> Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
> Hochschulring 4, 28359 Bremen
>
> Veranstaltungsvorschau: Besuchen Sie uns…
> Dataport Hausmesse | 02.04.2019 | Hamburg – Schnelsen
> <https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx>
> Digitaler Staat | 02. + 03.04.2019 | Berlin
> <https://www.digitaler-staat.org/>
> 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin
> <https://www.zukunftskongress.info/de>
> Kongress Baden-Württemberg | 04.07.2019 | Stuttgart
> <https://www.bw-4-0.de/>
>
> <http://www.jahrestagung.governikus.de/>
>
> _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list