[keycloak-dev] X.509 Authenticator - New User Identity Source

Marek Posolda mposolda at redhat.com
Wed Jul 3 02:16:47 EDT 2019 

On 03/07/2019 00:20, Nalyvayko, Peter wrote:
> Hi Marek,
>
>
> I believe in the original version the regular expression was the only mapper provided out of the box  to parse the unique identity from the subject's DN. Adding the x500 mappers (email, etc.) came up, if I recall correctly, during the PR discussion, but I could be wrong.

Cool, Thanks for clarifying.

I think that when we add "Issuer's DN + serial number" combination, we 
can remove "Issuer's email" and "Issuer's Common Name" .

Marek

>
>>   None of provided mappings can guarantee uniqueness.
> For on-premise deployments having a simple mapping (email from x509 cert) may be sufficient as long as there is a single trusted CA.
>
>>   I would vote also for remove "Issuer's email" and "Issuer's Common Name"  as I can't imagine that those can be ever used to uniquely identify subject and I doubt that someone is using this in production for uniquely identify user?
> +1 I am not aware of any of our clients using the issuer's mappers.
>
> Cheers,
>
> Peter
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Marek Posolda
> Sent: Tuesday, July 2, 2019 12:38 PM
> To: Nemanja Hiršl <nemanja.hirsl at netsetglobal.rs>; keycloak-dev at lists.jboss.org
> Subject: Re: [keycloak-dev] X.509 Authenticator - New User Identity Source
>
>
> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>> Hi,
>>
>> Current implementation of X.509 Authenticator uses a number of
>> different mappings of a certificate to user identity.
>> None of provided mappings can guarantee uniqueness. It is up to CA to
>> choose which fields to include in SubjectDN and SAN and there might be
>> some unique data. In these cases we can use provided mappers to
>> identify users. However, if there's a need to support certificates
>> from different CAs, with unrelated usage of SubjectDN and SAN fields
>> those mappers are not sufficient.
>>
>> One way to uniquely identify user is to use certificate thumbprint.
>> For the solution I'm working on, we have implemented SHA256-Thumbprint
>> mapper and it is giving us expected results.
>>
>> Do you think sha256 thumbprint mapper would be a useful addition to
>> already existing mappers?
>> Should I prepare appropriate PR?
>>
>> The other approach might be combination of serial number and issuer.
>> According to RFC 5280 the issuer name and serial number identify a
>> unique certificate.This is something I haven't tried, but would like
>> to hear your opinion.
> +1 for the serial number + Issuer DN.
>
> I would vote also for remove "Issuer's email" and "Issuer's Common Name"
> as I can't imagine that those can be ever used to uniquely identify subject and I doubt that someone is using this in production for uniquely identify user?
>
> Adding Peter Nalyvayko to CC as I believe he was the original author who added those. Peter, feel free to correct me if I am wrong :)
>
> Thanks,
> Marek
>
>> Thanks.
>>
>> References:
>> 1. There's a nice explanation on stackoveroflow of what can be used to
>> uniquely identify users:
>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client-
>> certificate-to-use-when-uniquely-identifying-users
>> 2. There's also a discussion here:
>> https://issues.jboss.org/browse/KEYCLOAK-9610
>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>
>>
>> Best regards,
>> Nemanja
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list