Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make the name of the client certificate attribute which is mapped to roles configurable #39364

Closed
sberyozkin opened this issue Mar 12, 2024 · 4 comments · Fixed by #40838
Closed

Make the name of the client certificate attribute which is mapped to roles configurable #39364

sberyozkin opened this issue Mar 12, 2024 · 4 comments · Fixed by #40838
Assignees
@michalvavrik
Labels
area/vertx kind/enhancement New feature or request
Milestone
3.12.0.CR1

Comments

@sberyozkin
Copy link
Member

sberyozkin commented Mar 12, 2024
edited
Loading

Description

Currently, after #37269, it is possible to map the value of the certificate's CN attribute to the local roles.
@cescoffier has proposed to support other attributes such as the Subject Alternative Name (SAN) as CN may not always be set.

Implementation ideas

Add a property to let users customize the attribute name.
In meantime, it can be done with the custom SecurityIdentityAugmentor
@sberyozkin sberyozkin added the kind/enhancement New feature or request label Mar 12, 2024
@sberyozkin sberyozkin changed the title Make the name of the client certficate attribute which is mapped to roles configurable Make the name of the client certificate attribute which is mapped to roles configurable Mar 12, 2024
@michalvavrik
Copy link
Member

I'll take care of this in next few weeks.

@michalvavrik michalvavrik self-assigned this Mar 15, 2024
@michalvavrik
Copy link
Member

I'll have a look now.

Currently, it is possible to map roles from CN within DN. We can make easily configurable other DN attributes (not sure if it is really useful TBH).

We can also make it configurable for selected extensions like SubjectAlternativeName, but list of configurable options must be discrete and known. I don't think there is safe and effective algorithm to support mapping for all the extensions.

I vote for DNs and SAN.

@sberyozkin @cescoffier do you have concrete X.509 attribute / extensions apart of SAN / CN in mind?

@cescoffier
Copy link
Member

Yeah, DN and SAN are the most important. Yesterday, I found your that Chrome does not allow certificates without SAN anymore. So, I would even say SAN first.

@michalvavrik michalvavrik mentioned this issue May 24, 2024
Merged
@michalvavrik
Copy link
Member

Here is a PR: #40838. I went with discrete list (most frequent) DNs and SANs because I think enum is easier for users to understand as configuration property value and also I want to have tested supported variations to reasonable extent. Please comment if you want in that PR. Thanks

@quarkus-bot quarkus-bot bot added this to the 3.12 - main milestone May 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michalvavrik michalvavrik

Labels
area/vertx kind/enhancement New feature or request
Projects
None yet
Milestone
3.12.0.CR1
3 participants
@cescoffier @sberyozkin @michalvavrik