[keycloak-dev] Certificate subject DN is provider dependent
Hynek Mlnarik
hmlnarik at redhat.com
Tue Feb 12 12:01:15 EST 2019
Incidentally, this issue has been discussed few weeks ago on this mailing
list in the thread "User TLS client certificate authentication -
inconsistent DN string representation with LDAP" starting on Dec 23. Could
you please ensure the concerns from that thread are addressed in the PR?
On Tue, Feb 12, 2019 at 3:30 PM Pedro Igor Silva <psilva at redhat.com> wrote:
> Thanks. I'm still not sure about that new CANONICAL parameter. Added a
> comment to your PR.
>
> On Tue, Feb 12, 2019 at 11:57 AM Lösch, Sebastian <
> Sebastian.Loesch at governikus.de> wrote:
>
> > Hello developer,
> >
> >
> >
> > I opened a new issue for Keycloak:
> > https://issues.jboss.org/browse/KEYCLOAK-9554
> >
> > and provided a pull request:
> > https://github.com/keycloak/keycloak/pull/5878
> >
> >
> >
> > Best regards,
> >
> > Sebastian
> >
> >
> >
> >
> >
> > *Von:* Pedro Igor Silva <psilva at redhat.com>
> > *Gesendet:* Dienstag, 12. Februar 2019 13:24
> > *An:* Thomas Darimont <thomas.darimont at googlemail.com>
> > *Cc:* Lösch, Sebastian <Sebastian.Loesch at governikus.de>; keycloak-dev <
> > keycloak-dev at lists.jboss.org>
> > *Betreff:* Re: [keycloak-dev] Certificate subject DN is provider
> dependent
> >
> >
> >
> > Btw, we also support extracting email using a subject alt name extension.
> > Maybe we could safely use CANONICAL (which seems to be more aligned with
> > the specs) and tell people to use this extractor if they want to use
> email
> > address from certificates.
> >
> >
> >
> > On Tue, Feb 12, 2019 at 10:19 AM Pedro Igor Silva <psilva at redhat.com>
> > wrote:
> >
> > IIRC, email address should be included/parsed as a subject alternative
> > name extension. BouncyCastle seems doing it right.
> >
> >
> >
> > What is the JDK version being used?
> >
> >
> >
> > On Tue, Feb 12, 2019 at 9:57 AM Thomas Darimont <
> > thomas.darimont at googlemail.com> wrote:
> >
> > Hi Sebastian,
> >
> > how about Keycloak would introduce an option for this authenticator like:
> > "Use canonical principal extraction" on/off with default "off",
> > meaning the default behavior stays the same. "on" would then mean to use
> > the "canonical" option for extracting the subject as you suggested.
> >
> > Cheers,
> > Thomas
> >
> > Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <
> > Sebastian.Loesch at governikus.de>:
> >
> > > Hello Keycloak developers,
> > >
> > > I am currently working on configuring keycloak for X.509 certificate
> > login.
> > > We store the whole user certificate's subject DN as user attribute.
> > During
> > > the login we match the authentication certificate's subjectDN against
> the
> > > value stored in the user attributes.
> > > The subject DN is determined executing:
> > > cert.getSubjectDN().getName()
> > >
> > > Here we have a problem regarding the subject DN order. We realized that
> > > the subject DN order is security provider specific:
> > >
> > > · Using SUN security provider we get a subject DN like:
> > > "EMAILADDRESS=bjensen at example.com, CN=Ms. Barbara J Jensen III, O=
> > > example.com, ST=California, C=US"
> > >
> > > · Using BouncyCastle security provider we get a subject DN
> like:
> > > "C=US,ST=California,O=example.com,CN=Ms. Barbara J Jensen III,E=
> > > bjensen at example.com"
> > > This is obviously a problem.
> > > Does anybody else ran into the same problem?
> > >
> > > In my opinion it would be better to use:
> > >
> > > cert.getSubjectX500Principal().getName(X500Principal.CANONICAL)
> > > to determine the subject DN, as the result is provider independent.
> > > But this would be an backward incompatible change in Method
> > >
> > >
> >
> org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder.fromConfig()
> > >
> > > What is your opinion?
> > >
> > > Best regards
> > > Sebastian
> > >
> > > --
> > > Solution Engineering
> > > --
> > > Governikus GmbH & Co. KG
> > > Hochschulring 4
> > > 28359 Bremen, Germany
> > >
> > > Phone: +49 421 204 95 - 28
> > > Fax: +49 421 204 95 - 11
> > > E-Mail: Sebastian.Loesch at governikus.de<mailto:
> > > Sebastian.Loesch at governikus.de>
> > > www.governikus.de<http://www.governikus.de/>
> > > --
> > > Governikus GmbH & Co. KG
> > > Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
> > > 22041
> > > Geschäftsführer: Dr. Stephan Klein
> > >
> > > Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
> > > Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756
> > >
> > >
> > > ****************************************************
> > > Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
> > > Hochschulring 4, 28359 Bremen
> > >
> > > Veranstaltungsvorschau: Besuchen Sie uns...
> > > Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<
> > >
> >
> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
> > > >
> > > Digitaler Staat | 02. + 03.04.2019 | Berlin<
> > > https://www.digitaler-staat.org/>
> > > 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<
> > > https://www.zukunftskongress.info/de>
> > > Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<
> > https://www.bw-4-0.de/
> > > >
> > >
> > > [cid:image8a82cf.JPG at 26f9b88d.448c29be]<
> > > http://www.jahrestagung.governikus.de/>
> > >
> >
> >
> > ****************************************************
> > Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
> > Hochschulring 4, 28359 Bremen
> >
> > Veranstaltungsvorschau: Besuchen Sie uns…
> > Dataport Hausmesse | 02.04.2019 | Hamburg – Schnelsen
> > <
> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
> >
> > Digitaler Staat | 02. + 03.04.2019 | Berlin
> > <https://www.digitaler-staat.org/>
> > 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin
> > <https://www.zukunftskongress.info/de>
> > Kongress Baden-Württemberg | 04.07.2019 | Stuttgart
> > <https://www.bw-4-0.de/>
> >
> > <http://www.jahrestagung.governikus.de/>
> >
> > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list