[keycloak-dev] X.509 Authenticator - New User Identity Source
Marek Posolda
mposolda at redhat.com
Wed Jul 3 04:41:29 EDT 2019
Thanks!
Marek
On 03/07/2019 10:34, Nemanja Hiršl wrote:
> On 7/3/19 8:16 AM, Marek Posolda wrote:
>> On 03/07/2019 00:20, Nalyvayko, Peter wrote:
>>> Hi Marek,
>>>
>>>
>>> I believe in the original version the regular expression was the
>>> only mapper provided out of the box to parse the unique identity
>>> from the subject's DN. Adding the x500 mappers (email, etc.) came
>>> up, if I recall correctly, during the PR discussion, but I could be
>>> wrong.
>>
>> Cool, Thanks for clarifying.
>>
>> I think that when we add "Issuer's DN + serial number" combination,
>> we can remove "Issuer's email" and "Issuer's Common Name" .
>>
>
> Thanks.
> I'll try to prepare PR in a next couple of days to remove "Issuer's
> email", "Issuer's Common Name" and add "Issuer's DN and serial number"
>
>
> Best regards,
> Nemanja
>
>> Marek
>>
>>>
>>>> None of provided mappings can guarantee uniqueness.
>>> For on-premise deployments having a simple mapping (email from x509
>>> cert) may be sufficient as long as there is a single trusted CA.
>>>
>>>> I would vote also for remove "Issuer's email" and "Issuer's
>>>> Common Name" as I can't imagine that those can be ever used to
>>>> uniquely identify subject and I doubt that someone is using this in
>>>> production for uniquely identify user?
>>> +1 I am not aware of any of our clients using the issuer's mappers.
>>>
>>> Cheers,
>>>
>>> Peter
>>>
>>> -----Original Message-----
>>> From: keycloak-dev-bounces at lists.jboss.org
>>> <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Marek Posolda
>>> Sent: Tuesday, July 2, 2019 12:38 PM
>>> To: Nemanja Hiršl <nemanja.hirsl at netsetglobal.rs>;
>>> keycloak-dev at lists.jboss.org
>>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User Identity
>>> Source
>>>
>>>
>>> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>>>> Hi,
>>>>
>>>> Current implementation of X.509 Authenticator uses a number of
>>>> different mappings of a certificate to user identity.
>>>> None of provided mappings can guarantee uniqueness. It is up to CA to
>>>> choose which fields to include in SubjectDN and SAN and there might be
>>>> some unique data. In these cases we can use provided mappers to
>>>> identify users. However, if there's a need to support certificates
>>>> from different CAs, with unrelated usage of SubjectDN and SAN fields
>>>> those mappers are not sufficient.
>>>>
>>>> One way to uniquely identify user is to use certificate thumbprint.
>>>> For the solution I'm working on, we have implemented SHA256-Thumbprint
>>>> mapper and it is giving us expected results.
>>>>
>>>> Do you think sha256 thumbprint mapper would be a useful addition to
>>>> already existing mappers?
>>>> Should I prepare appropriate PR?
>>>>
>>>> The other approach might be combination of serial number and issuer.
>>>> According to RFC 5280 the issuer name and serial number identify a
>>>> unique certificate.This is something I haven't tried, but would like
>>>> to hear your opinion.
>>> +1 for the serial number + Issuer DN.
>>>
>>> I would vote also for remove "Issuer's email" and "Issuer's Common
>>> Name"
>>> as I can't imagine that those can be ever used to uniquely identify
>>> subject and I doubt that someone is using this in production for
>>> uniquely identify user?
>>>
>>> Adding Peter Nalyvayko to CC as I believe he was the original author
>>> who added those. Peter, feel free to correct me if I am wrong :)
>>>
>>> Thanks,
>>> Marek
>>>
>>>> Thanks.
>>>>
>>>> References:
>>>> 1. There's a nice explanation on stackoveroflow of what can be used to
>>>> uniquely identify users:
>>>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client-
>>>> certificate-to-use-when-uniquely-identifying-users
>>>> 2. There's also a discussion here:
>>>> https://issues.jboss.org/browse/KEYCLOAK-9610
>>>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>>>
>>>>
>>>> Best regards,
>>>> Nemanja
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
More information about the keycloak-dev
mailing list