[keycloak-dev] validating client certificates on user login

Stian Thorgersen sthorger at redhat.com
Fri Nov 8 01:16:22 EST 2019 

Thanks, but I'm afraid unit tests are not sufficient. We can keep the unit
tests you've added as they are nice for development purposes. However, we
need integration level tests as that checks fully how it works (what errors
for instance a client would see) and also allows us to test it in different
builds (for example a patched instance of RH-SSO if we want to backport
this fix).

Adding Sebastian as should be able to give you some pointers on what
current tests you can extend.

On Thu, 7 Nov 2019 at 17:11, Knüppel, Pascal <Pascal.Knueppel at governikus.de>
wrote:

> added unit tests :-)
>
>
>
> ****************************************************
> Veranstaltungsvorschau: Besuchen Sie uns…
> 11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin
> <https://jahrestagung-eakte.de/>
> Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss <https://www.e-nrw.info/>
> OMNISECURE | 20.-22.01.2020 |Berlin <https://www.omnisecure.berlin/de/>
> Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin
> <https://www.zukunftskongress.info/de/zksv/willkommen>
>
> *Von:* Stian Thorgersen <sthorger at redhat.com>
> *Gesendet:* Donnerstag, 7. November 2019 13:56
> *An:* Knüppel, Pascal <Pascal.Knueppel at governikus.de>
> *Cc:* keycloak-dev at lists.jboss.org
> *Betreff:* Re: [keycloak-dev] validating client certificates on user login
>
>
>
> Looks like a sane PR to me. Tests are missing though. If you use Time from
> Keycloak as I mentioned in the PR comments you can tweak the server time in
> a test to be able to test this.
>
>
>
> On Thu, 7 Nov 2019 at 08:27, Knüppel, Pascal <
> Pascal.Knueppel at governikus.de> wrote:
>
> Hi I was told to send a mail to the developers mailing list regarding the
> following issue to get more input from other developers:
>
> https://issues.jboss.org/browse/KEYCLOAK-11818
>
> Our problem is that users who login with mutual client-authentication via
> X509 certificates are still able to login if the certificates are expired
> or not valid yet. I added a pull request - that is also referenced in the
> issue - that adds a switch that may be used to validate the notBefore and
> notAfter timestamps of X509 certificates. From our side we would say that
> this is actually a security issue that should be fixed very soon.
>
> Best regards
> Pascal Knüppel
>
> ****************************************************
> Veranstaltungsvorschau: Besuchen Sie uns...
> 11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<
> https://jahrestagung-eakte.de/>
> Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
> OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
> Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin<
> https://www.zukunftskongress.info/de/zksv/willkommen>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

More information about the keycloak-dev mailing list