[keycloak-dev] X.509 Authenticator - New User Identity Source
Nemanja Hiršl
nemanja.hirsl at netsetglobal.rs
Wed Jul 3 04:34:23 EDT 2019
On 7/3/19 8:16 AM, Marek Posolda wrote:
> On 03/07/2019 00:20, Nalyvayko, Peter wrote:
>> Hi Marek,
>>
>>
>> I believe in the original version the regular expression was the only
>> mapper provided out of the box to parse the unique identity from the
>> subject's DN. Adding the x500 mappers (email, etc.) came up, if I
>> recall correctly, during the PR discussion, but I could be wrong.
>
> Cool, Thanks for clarifying.
>
> I think that when we add "Issuer's DN + serial number" combination, we
> can remove "Issuer's email" and "Issuer's Common Name" .
>
Thanks.
I'll try to prepare PR in a next couple of days to remove "Issuer's
email", "Issuer's Common Name" and add "Issuer's DN and serial number"
Best regards,
Nemanja
> Marek
>
>>
>>> None of provided mappings can guarantee uniqueness.
>> For on-premise deployments having a simple mapping (email from x509
>> cert) may be sufficient as long as there is a single trusted CA.
>>
>>> I would vote also for remove "Issuer's email" and "Issuer's Common
>>> Name" as I can't imagine that those can be ever used to uniquely
>>> identify subject and I doubt that someone is using this in
>>> production for uniquely identify user?
>> +1 I am not aware of any of our clients using the issuer's mappers.
>>
>> Cheers,
>>
>> Peter
>>
>> -----Original Message-----
>> From: keycloak-dev-bounces at lists.jboss.org
>> <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Marek Posolda
>> Sent: Tuesday, July 2, 2019 12:38 PM
>> To: Nemanja Hiršl <nemanja.hirsl at netsetglobal.rs>;
>> keycloak-dev at lists.jboss.org
>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User Identity
>> Source
>>
>>
>> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>>> Hi,
>>>
>>> Current implementation of X.509 Authenticator uses a number of
>>> different mappings of a certificate to user identity.
>>> None of provided mappings can guarantee uniqueness. It is up to CA to
>>> choose which fields to include in SubjectDN and SAN and there might be
>>> some unique data. In these cases we can use provided mappers to
>>> identify users. However, if there's a need to support certificates
>>> from different CAs, with unrelated usage of SubjectDN and SAN fields
>>> those mappers are not sufficient.
>>>
>>> One way to uniquely identify user is to use certificate thumbprint.
>>> For the solution I'm working on, we have implemented SHA256-Thumbprint
>>> mapper and it is giving us expected results.
>>>
>>> Do you think sha256 thumbprint mapper would be a useful addition to
>>> already existing mappers?
>>> Should I prepare appropriate PR?
>>>
>>> The other approach might be combination of serial number and issuer.
>>> According to RFC 5280 the issuer name and serial number identify a
>>> unique certificate.This is something I haven't tried, but would like
>>> to hear your opinion.
>> +1 for the serial number + Issuer DN.
>>
>> I would vote also for remove "Issuer's email" and "Issuer's Common Name"
>> as I can't imagine that those can be ever used to uniquely identify
>> subject and I doubt that someone is using this in production for
>> uniquely identify user?
>>
>> Adding Peter Nalyvayko to CC as I believe he was the original author
>> who added those. Peter, feel free to correct me if I am wrong :)
>>
>> Thanks,
>> Marek
>>
>>> Thanks.
>>>
>>> References:
>>> 1. There's a nice explanation on stackoveroflow of what can be used to
>>> uniquely identify users:
>>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client-
>>> certificate-to-use-when-uniquely-identifying-users
>>> 2. There's also a discussion here:
>>> https://issues.jboss.org/browse/KEYCLOAK-9610
>>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>>
>>>
>>> Best regards,
>>> Nemanja
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list