[keycloak-dev] X.509 Authenticator - New User Identity Source

Nemanja Hiršl nemanja.hirsl at netsetglobal.rs
Sun Jul 21 06:45:47 EDT 2019


Hi,

did you get a chance to look into this PR?
If there's something wrong with code/logic, I'll be happy to rework 
it.... Just let me know.

Best regards,
Nemanja

On 7/8/19 2:44 PM, Nemanja Hiršl wrote:
> Hi Marek,
>
> After having some troubles in resolving merge conflicts, I've finally 
> filed new PR: https://github.com/keycloak/keycloak/pull/6153
> Please take a look when you have time.
> Thanks.
>
> Best regards,
> Nemanja
>
> On 7/3/19 10:41 AM, Marek Posolda wrote:
>> Thanks!
>>
>> Marek
>>
>> On 03/07/2019 10:34, Nemanja Hiršl wrote:
>>> On 7/3/19 8:16 AM, Marek Posolda wrote:
>>>> On 03/07/2019 00:20, Nalyvayko, Peter wrote:
>>>>> Hi Marek,
>>>>>
>>>>>
>>>>> I believe in the original version the regular expression was the 
>>>>> only mapper provided out of the box  to parse the unique identity 
>>>>> from the subject's DN. Adding the x500 mappers (email, etc.) came 
>>>>> up, if I recall correctly, during the PR discussion, but I could 
>>>>> be wrong.
>>>>
>>>> Cool, Thanks for clarifying.
>>>>
>>>> I think that when we add "Issuer's DN + serial number" combination, 
>>>> we can remove "Issuer's email" and "Issuer's Common Name" .
>>>>
>>>
>>> Thanks.
>>> I'll try to prepare PR in a next couple of days to remove "Issuer's 
>>> email", "Issuer's Common Name" and add "Issuer's DN and serial number"
>>>
>>>
>>> Best regards,
>>> Nemanja
>>>
>>>> Marek
>>>>
>>>>>
>>>>>>   None of provided mappings can guarantee uniqueness.
>>>>> For on-premise deployments having a simple mapping (email from 
>>>>> x509 cert) may be sufficient as long as there is a single trusted CA.
>>>>>
>>>>>>   I would vote also for remove "Issuer's email" and "Issuer's 
>>>>>> Common Name"  as I can't imagine that those can be ever used to 
>>>>>> uniquely identify subject and I doubt that someone is using this 
>>>>>> in production for uniquely identify user?
>>>>> +1 I am not aware of any of our clients using the issuer's mappers.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Peter
>>>>>
>>>>> -----Original Message-----
>>>>> From: keycloak-dev-bounces at lists.jboss.org 
>>>>> <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Marek Posolda
>>>>> Sent: Tuesday, July 2, 2019 12:38 PM
>>>>> To: Nemanja Hiršl <nemanja.hirsl at netsetglobal.rs>; 
>>>>> keycloak-dev at lists.jboss.org
>>>>> Subject: Re: [keycloak-dev] X.509 Authenticator - New User 
>>>>> Identity Source
>>>>>
>>>>>
>>>>> On 02/07/2019 16:38, Nemanja Hiršl wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Current implementation of X.509 Authenticator uses a number of
>>>>>> different mappings of a certificate to user identity.
>>>>>> None of provided mappings can guarantee uniqueness. It is up to 
>>>>>> CA to
>>>>>> choose which fields to include in SubjectDN and SAN and there 
>>>>>> might be
>>>>>> some unique data. In these cases we can use provided mappers to
>>>>>> identify users. However, if there's a need to support certificates
>>>>>> from different CAs, with unrelated usage of SubjectDN and SAN fields
>>>>>> those mappers are not sufficient.
>>>>>>
>>>>>> One way to uniquely identify user is to use certificate thumbprint.
>>>>>> For the solution I'm working on, we have implemented 
>>>>>> SHA256-Thumbprint
>>>>>> mapper and it is giving us expected results.
>>>>>>
>>>>>> Do you think sha256 thumbprint mapper would be a useful addition to
>>>>>> already existing mappers?
>>>>>> Should I prepare appropriate PR?
>>>>>>
>>>>>> The other approach might be combination of serial number and issuer.
>>>>>> According to RFC 5280 the issuer name and serial number identify a
>>>>>> unique certificate.This is something I haven't tried, but would like
>>>>>> to hear your opinion.
>>>>> +1 for the serial number + Issuer DN.
>>>>>
>>>>> I would vote also for remove "Issuer's email" and "Issuer's Common 
>>>>> Name"
>>>>> as I can't imagine that those can be ever used to uniquely 
>>>>> identify subject and I doubt that someone is using this in 
>>>>> production for uniquely identify user?
>>>>>
>>>>> Adding Peter Nalyvayko to CC as I believe he was the original 
>>>>> author who added those. Peter, feel free to correct me if I am 
>>>>> wrong :)
>>>>>
>>>>> Thanks,
>>>>> Marek
>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> References:
>>>>>> 1. There's a nice explanation on stackoveroflow of what can be 
>>>>>> used to
>>>>>> uniquely identify users:
>>>>>> https://stackoverflow.com/questions/5290571/which-parts-of-the-client- 
>>>>>>
>>>>>> certificate-to-use-when-uniquely-identifying-users
>>>>>> 2. There's also a discussion here:
>>>>>> https://issues.jboss.org/browse/KEYCLOAK-9610
>>>>>> 3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>> Nemanja
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list