[keycloak-dev] X.509 Authenticator - New User Identity Source
Nemanja Hiršl
nemanja.hirsl at netsetglobal.rs
Tue Jul 2 10:38:41 EDT 2019
Hi,
Current implementation of X.509 Authenticator uses a number of different
mappings of a certificate to user identity.
None of provided mappings can guarantee uniqueness. It is up to CA to
choose which fields to include in SubjectDN and SAN and there might be
some unique data. In these cases we can use provided mappers to identify
users. However, if there's a need to support certificates from different
CAs, with unrelated usage of SubjectDN and SAN fields those mappers are
not sufficient.
One way to uniquely identify user is to use certificate thumbprint. For
the solution I'm working on, we have implemented SHA256-Thumbprint
mapper and it is giving us expected results.
Do you think sha256 thumbprint mapper would be a useful addition to
already existing mappers?
Should I prepare appropriate PR?
The other approach might be combination of serial number and issuer.
According to RFC 5280 the issuer name and serial number identify a
unique certificate.This is something I haven't tried, but would like to
hear your opinion.
Thanks.
References:
1. There's a nice explanation on stackoveroflow of what can be used to
uniquely identify users:
https://stackoverflow.com/questions/5290571/which-parts-of-the-client-certificate-to-use-when-uniquely-identifying-users
2. There's also a discussion here:
https://issues.jboss.org/browse/KEYCLOAK-9610
3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
Best regards,
Nemanja
More information about the keycloak-dev
mailing list