[keycloak-dev] X.509 Authenticator - New User Identity Source

Nemanja Hiršl nemanja.hirsl at netsetglobal.rs
Mon Jul 8 08:44:54 EDT 2019 

Hi Marek,

After having some troubles in resolving merge conflicts, I've finally 
filed new PR: https://github.com/keycloak/keycloak/pull/6153
Please take a look when you have time.
Thanks.

Best regards,
Nemanja

On 7/3/19 10:41 AM, Marek Posolda wrote:
> Thanks!
>
> Marek
>
> On 03/07/2019 10:34, Nemanja Hiršl wrote:
>> On 7/3/19 8:16 AM, Marek Posolda wrote:
>>> On 03/07/2019 00:20, Nalyvayko, Peter wrote:
>>>> Hi Marek,
>>>>
>>>>
>>>> I believe in the original version the regular expression was the 
>>>> only mapper provided out of the box  to parse the unique identity 
>>>> from the subject's DN. Adding the x500 mappers (email, etc.) came 
>>>> up, if I recall correctly, during the PR discussion, but I could be 
>>>> wrong.
>>>
>>> Cool, Thanks for clarifying.
>>>
>>> I think that when we add "Issuer's DN + serial number" combination, 
>>> we can remove "Issuer's email" and "Issuer's Common Name" .
>>>
>>
>> Thanks.
>> I'll try to prepare PR in a next couple of days to remove "Issuer's 
>> email", "Issuer's Common Name" and add "Issuer's DN and serial number"
>>
>>
>> Best regards,
>> Nemanja
>>
>>> Marek
>>>
>>>>
>>>>>   None of provided mappings can guarantee uniqueness.
>>>> For on-premise deployments having a simple mapping (email from x509 
>>>> cert) may be sufficient as long as there is a single trusted CA.
>>>>
>>>>>   I would vote also for remove "Issuer's email" and "Issuer's 
>>>>> Common Name"  as I can't imagine that those can be ever used to 
>>>>> uniquely identify subject and I doubt that someone is using this 
>>>>> in production for uniquely identify user?
>>>> +1 I am not aware of any of our clients using the issuer's mappers.
>>>>
>>>> Cheers,
>>>>
>>>> Peter
>>>>
>>>> -----Original Message-----
>>>> From: keycloak-dev-bounces at lists.jboss.org 
>>>> <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Marek Posolda
>>>> Sent: Tuesday, July 2, 2019 12:38 PM
>>>> To: Nemanja Hiršl <nemanja.hirsl at netsetglobal.rs>; 
>>>> keycloak-dev at lists.jboss.org
>>>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User Identity 
>>>> Source
>>>>
>>>>
>>>> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>>>>> Hi,
>>>>>
>>>>> Current implementation of X.509 Authenticator uses a number of
>>>>> different mappings of a certificate to user identity.
>>>>> None of provided mappings can guarantee uniqueness. It is up to CA to
>>>>> choose which fields to include in SubjectDN and SAN and there 
>>>>> might be
>>>>> some unique data. In these cases we can use provided mappers to
>>>>> identify users. However, if there's a need to support certificates
>>>>> from different CAs, with unrelated usage of SubjectDN and SAN fields
>>>>> those mappers are not sufficient.
>>>>>
>>>>> One way to uniquely identify user is to use certificate thumbprint.
>>>>> For the solution I'm working on, we have implemented 
>>>>> SHA256-Thumbprint
>>>>> mapper and it is giving us expected results.
>>>>>
>>>>> Do you think sha256 thumbprint mapper would be a useful addition to
>>>>> already existing mappers?
>>>>> Should I prepare appropriate PR?
>>>>>
>>>>> The other approach might be combination of serial number and issuer.
>>>>> According to RFC 5280 the issuer name and serial number identify a
>>>>> unique certificate.This is something I haven't tried, but would like
>>>>> to hear your opinion.
>>>> +1 for the serial number + Issuer DN.
>>>>
>>>> I would vote also for remove "Issuer's email" and "Issuer's Common 
>>>> Name"
>>>> as I can't imagine that those can be ever used to uniquely identify 
>>>> subject and I doubt that someone is using this in production for 
>>>> uniquely identify user?
>>>>
>>>> Adding Peter Nalyvayko to CC as I believe he was the original 
>>>> author who added those. Peter, feel free to correct me if I am 
>>>> wrong :)
>>>>
>>>> Thanks,
>>>> Marek
>>>>
>>>>> Thanks.
>>>>>
>>>>> References:
>>>>> 1. There's a nice explanation on stackoveroflow of what can be 
>>>>> used to
>>>>> uniquely identify users:
>>>>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client- 
>>>>>
>>>>> certificate-to-use-when-uniquely-identifying-users
>>>>> 2. There's also a discussion here:
>>>>> https://issues.jboss.org/browse/KEYCLOAK-9610
>>>>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>>>>
>>>>>
>>>>> Best regards,
>>>>> Nemanja
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>
>

More information about the keycloak-dev mailing list