[keycloak-user] X509 Direct Grant with client certificate

Nalyvayko, Peter pnalyvayko at agi.com
Mon Jun 3 19:43:42 EDT 2019 

Hi Chirag,

Can you expound on what you mean by "sharing the same attribute details"? X509 Direct grant relies on mutual TLS, i.e. a client certificate to find a unique user, so having more than a single user associated with the same certificate will cause an authentication error.

________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Chirag Unnadkat [Chirag.Unnadkat at cerillion.com]
Sent: Monday, June 3, 2019 10:35 AM
To: Chirag Unnadkat; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] X509 Direct Grant with client certificate

Hi,

Has anyone else faced a similar issue, and/or managed to resolve something similar?

Kind Regards,

Chirag Unnadkat
Business Analyst
Cerillion plc
E.   chirag.unnadkat at cerillion.com
T.  0207 9276029
W.  www.cerillion.com
Addr.   25 Bedford Street, London, WC2E 9ES, UK

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chirag Unnadkat
Sent: 28 May 2019 16:03
To: keycloak-user at lists.jboss.org
Subject: Caution -Identified as Possible Scam - [keycloak-user] X509 Direct Grant with client certificate

Hi,

Is it possible to pass the same client certificate in a token request with different login credentials?
My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible

I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config) This is configured to take the Subjects Common Name, with the attribute "NAME"
I have configured a trust store with 1 certificate (want to share this across users) When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate

I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases


Kind Regards,

Chirag Unnadkat
Business Analyst
Cerillion plc
E.   chirag.unnadkat at cerillion.com<mailto:chirag.unnadkat at cerillion.com>
T.  0207 9276029
W.  https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion.com<http://www.cerillion.com/>
Addr.   25 Bedford Street, London, WC2E 9ES, UK

________________________________

Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion.com<http://www.cerillion.com>

This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.

Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt.

________________________________
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://clicktime.symantec.com/3R2MaYpXaCBqfdVw3He1gdp6H2?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list