[keycloak-dev] X.509 Authenticator - New User Identity Source

Marek Posolda mposolda at redhat.com
Tue Jul 2 12:38:04 EDT 2019 

On 02/07/2019 16:38, Nemanja Hiršl wrote:
> Hi,
>
> Current implementation of X.509 Authenticator uses a number of 
> different mappings of a certificate to user identity.
> None of provided mappings can guarantee uniqueness. It is up to CA to 
> choose which fields to include in SubjectDN and SAN and there might be 
> some unique data. In these cases we can use provided mappers to 
> identify users. However, if there's a need to support certificates 
> from different CAs, with unrelated usage of SubjectDN and SAN fields 
> those mappers are not sufficient.
>
> One way to uniquely identify user is to use certificate thumbprint. 
> For the solution I'm working on, we have implemented SHA256-Thumbprint 
> mapper and it is giving us expected results.
>
> Do you think sha256 thumbprint mapper would be a useful addition to 
> already existing mappers?
> Should I prepare appropriate PR?
>
> The other approach might be combination of serial number and issuer. 
> According to RFC 5280 the issuer name and serial number identify a 
> unique certificate.This is something I haven't tried, but would like 
> to hear your opinion.

+1 for the serial number + Issuer DN.

I would vote also for remove "Issuer's email" and "Issuer's Common Name" 
as I can't imagine that those can be ever used to uniquely identify 
subject and I doubt that someone is using this in production for 
uniquely identify user?

Adding Peter Nalyvayko to CC as I believe he was the original author who 
added those. Peter, feel free to correct me if I am wrong :)

Thanks,
Marek

>
> Thanks.
>
> References:
> 1. There's a nice explanation on stackoveroflow of what can be used to 
> uniquely identify users: 
> https://stackoverflow.com/questions/5290571/which-parts-of-the-client-certificate-to-use-when-uniquely-identifying-users
> 2. There's also a discussion here: 
> https://issues.jboss.org/browse/KEYCLOAK-9610
> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>
>
> Best regards,
> Nemanja
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list