[keycloak-user] X509 Identity Brokering

Marek Posolda mposolda at redhat.com
Thu Jun 15 03:27:40 EDT 2017


I think the use-case of auto-registration makes sense and it will be 
nice to add it as an optional feature to current X509 support. Could you 
please create JIRA for it if it doesn't yet exists?

The bit similar usecase is Kerberos/SPNEGO authentication. That one has 
support for auto-registration as it uses user storage provider 
(typically LDAP, but standalone Kerberos is also supported), which has 
support for auto-registration as long as registration is allowed for 
LDAP storage provider.

Marek


On 15/06/17 03:02, Nalyvayko, Peter wrote:
> Hi Thiago,
>
> Have you considered using the LDAP identity provider in conjunction with X509 user authentication? X509 contains an existing identity of a user so whoever's responsible for issuing the certificate can pre-register the user by creating an LDAP record prior to issuing the X509 cert to the user.
> My $0.02
> Regards,
> Peter
>
> ________________________________________
> From: Thiago Presa [thiago.addevico at gmail.com]
> Sent: Wednesday, June 14, 2017 1:23 PM
> To: Nalyvayko, Peter
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] X509 Identity Brokering
>
> Hi Peter,
>
> As I could grasp, currently the user would have to manually register himself into the realm, providing a password for the access. After that, he or she can use the certificate instead of the password to log into the realm.
> However, we would like users to log in only through valid X509 certificates. It seems a bit artificial to ask for a password that ultimately won't be used. Can we avoid asking the password somehow?
>
> Best regards,
> Thiago Presa
>
> On Tue, Jun 13, 2017 at 7:35 PM, Nalyvayko, Peter <pnalyvayko at agi.com<mailto:pnalyvayko at agi.com>> wrote:
> Hi Thiago,
>
> AFAIK x509 user authentication requires an existing user. Can you go into specifics what your use case is?
> --Peter
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] on behalf of Thiago Presa [thiago.addevico at gmail.com<mailto:thiago.addevico at gmail.com>]
> Sent: Tuesday, June 13, 2017 5:47 PM
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] X509 Identity Brokering
>
> Hi,
>
> Does Keycloak support some sort of Identity Brokering through X509? I
> managed to configure the X509 Client Certificate, but it only replaces the
> password, and requires the user to be already registered. What I would like
> to achieve is to automatically register the users who present a valid X509
> Certificate. Is that possible?
>
> Best regards,
> Thiago Presa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list