[keycloak-dev] validating client certificates on user login
Stian Thorgersen
sthorger at redhat.com
Thu Nov 7 07:56:05 EST 2019
Looks like a sane PR to me. Tests are missing though. If you use Time from
Keycloak as I mentioned in the PR comments you can tweak the server time in
a test to be able to test this.
On Thu, 7 Nov 2019 at 08:27, Knüppel, Pascal <Pascal.Knueppel at governikus.de>
wrote:
> Hi I was told to send a mail to the developers mailing list regarding the
> following issue to get more input from other developers:
>
> https://issues.jboss.org/browse/KEYCLOAK-11818
>
> Our problem is that users who login with mutual client-authentication via
> X509 certificates are still able to login if the certificates are expired
> or not valid yet. I added a pull request - that is also referenced in the
> issue - that adds a switch that may be used to validate the notBefore and
> notAfter timestamps of X509 certificates. From our side we would say that
> this is actually a security issue that should be fixed very soon.
>
> Best regards
> Pascal Knüppel
>
> ****************************************************
> Veranstaltungsvorschau: Besuchen Sie uns...
> 11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<
> https://jahrestagung-eakte.de/>
> Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
> OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
> Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin<
> https://www.zukunftskongress.info/de/zksv/willkommen>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list