Skip to content

Keystore spi ldap sasl external #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open

Keystore spi ldap sasl external #232

wants to merge 30 commits into from

Conversation

@tsaarni
Copy link
Member

@tsaarni tsaarni commented Oct 6, 2023
edited
Loading

This code is not part of upstream Keycloak.

This PR adds support to use x.509 client certificate authentication using SASL EXTERNAL with LDAP federation. It also adds support for hot-reload of LDAP client certificate and private key without restarting Keycloak by using Keystore SPI.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practise is able to load both JKS and PKCS12 keystore files)

The PR builds on top of #230.

This code is also in upstream PR keycloak#7365 but it is blocked until Keycloak can support certificate hot-reload with solution such as #230 or an alternative approach with similar capabilities.

@tsaarni tsaarni force-pushed the keystore-spi-ldap-sasl-external branch from d6b40fc to 56e98af Compare October 31, 2023 15:44
@tsaarni tsaarni mentioned this pull request Oct 31, 2023
Open
justin-tay and others added 17 commits October 31, 2023 11:33
@justin-tay @pedroigor
Allow customization of aud claim with JWT Authentication
3ff0476 
Closes keycloak#21445
@Aboullos
Fix compilation error on springboot (keycloak#24437)
75440ab
@mposolda @pedroigor
Move some UserProfile and Validation classes into keycloak-server-spi
6f99291 
closes keycloak#24387
@mposolda @pedroigor
Update per review
0bd2b34
@rh-iatanaso @ahus1
Updated documentations to mention Resteasy reactive migration
7b06838 
Closes keycloak#23444
@hmlnarik @mposolda
Downgrade transient users to experimental
aa75fef 
Closes: keycloak#24343
Signed-off-by: Hynek Mlnarik <[email protected]>
@dependabot
Bump rollup from 4.1.5 to 4.2.0 in /js (keycloak#24447)
412c8bc 
Bumps [rollup](https://github.com/rollup/rollup) from 4.1.5 to 4.2.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.1.5...v4.2.0)

---
updated-dependencies:
- dependency-name: rollup
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump @types/node from 20.8.9 to 20.8.10 in /js (keycloak#24446)
17135a0 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.8.9 to 20.8.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@jonkoops
Improve error handling for Fetch calls (keycloak#24460)
b0c22ce 
Closes keycloak#24293
@k-tamura
Correct the value of option --cache-stack (keycloak#24338)
e96d6b3
@pedroigor @mposolda
Make sure optional default attributes are removed when decorating the…
be65ba8 
… user-define user profile configuration

Closes keycloak#24420
@jonkoops
Add 'Email Verified' checkbox if user profile is enabled (keycloak#24463
222db65 
)
@rokkiter
clean util * (keycloak#24174)
e173513 
Signed-off-by: rokkiter <[email protected]>
@mposolda @andymunro @ahus1
Updating release notes for Keycloak 23 with some 'core features' impr…
70e8204 
…ovements

closes keycloak#23971

Co-authored-by: andymunro <[email protected]>
@rmartinc @mposolda
Escape $ sign when replacing clientId in the role mappers
d7bb594 
Closes keycloak#23692
@jonkoops
Remove UTF-8 encoding header from property files (keycloak#24471)
fe0a945
@andymunro @ahus1
Minor changes to documentation
9ef9c94 
Closes keycloak#24456
@tsaarni tsaarni force-pushed the keystore-spi-ldap-sasl-external branch from 56e98af to 392d1da Compare November 2, 2023 06:30
shawkins and others added 10 commits November 2, 2023 08:41
@shawkins
fix: exceptions should be ignored in until the condition is met (keyc…
a6f6a52 
…loak#24478)

closes keycloak#24477
@jonkoops
Force reporters of bugs to agree to test against the latest Keycloak (k…
8867dd6 
…eycloak#24352)
@martin-kanis @ahus1
Map Store Removal: Delete map profiles and scopes from model tests
e05effe 
Closes keycloak#24093
@antikalk @pedroigor
[issue-14134] test partial import user with id
563ae10 
Fix keycloak#14134
@jonkoops
Fix Cypress tests for User Profile (keycloak#24502)
c91e084
@jonkoops
Remove leftover namespaces from translation keys (keycloak#24486)
bd80f20
@jonkoops
Properly handle array query arguments in Admin Client (keycloak#24483)
a3a2f78 
Closes keycloak#20135
@jonkoops
Enable html reporter for Playwright on CI (keycloak#24488)
7d7880b
@jonkoops
Remove hidden inputs from update password form (keycloak#24489)
1596d87
@vramik @ahus1
Data too long for column 'DETAILS_JSON'
593c14c 
Closes keycloak#17258
@tsaarni tsaarni force-pushed the keystore-spi-ldap-sasl-external branch from 392d1da to 4241521 Compare November 3, 2023 07:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.