QWAC certificate validation in Keycloak
49 views
Skip to first unread message
Hryhorii Hevorkian
Feb 25, 2021, 3:04:36 AM2/25/21
to Keycloak Dev
Hello, we have a proposition about how to integrate QWAC certificate validation into the Keycloak core. To do so, we have to add new filter (QwacValidationFilter) which will handle QWAC certificates from request. By default, this filter will use a stub-service (QwacValidationResource) that does nothing. But if we wish to extend the functionality, we will override this service by using the custom plugin which will access the external validation resource (External QWAC validation service). For more details, please see the schema provided below.
乗松隆志 / NORIMATSU,TAKASHI
Feb 26, 2021, 3:01:08 AM2/26/21
to Hryhorii Hevorkian, Keycloak Dev
Hello Hryhorii,
I think this proposition might be based on the discussion of the web meeting held on Fri 5 Feb for eIDAS support on keycloak as FAPI-SIG.
On this discussion, it might be needed to put some information onto the token depending on the certificate's content. This information can be used for authorization when ASPSP's banking API receives this token. (and Protocol Mapper may fits this purpose)
Would you consider this point on your proposal, or might treat separately?
Regards,
Takashi Norimatsu
Hitachi, Ltd.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mailto:keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://clicktime.symantec.com/3K7G2CGU4dBoqDw2rewChyH7Vc?u=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2Fc91bea39-6689-4aaf-bf37-192e7583573fn%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter.
I think this proposition might be based on the discussion of the web meeting held on Fri 5 Feb for eIDAS support on keycloak as FAPI-SIG.
On this discussion, it might be needed to put some information onto the token depending on the certificate's content. This information can be used for authorization when ASPSP's banking API receives this token. (and Protocol Mapper may fits this purpose)
Would you consider this point on your proposal, or might treat separately?
Regards,
Takashi Norimatsu
Hitachi, Ltd.
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mailto:keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://clicktime.symantec.com/3K7G2CGU4dBoqDw2rewChyH7Vc?u=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2Fc91bea39-6689-4aaf-bf37-192e7583573fn%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter.
Francis Pouatcha
Feb 27, 2021, 1:45:01 PM2/27/21
to 乗松隆志 / NORIMATSU,TAKASHI, Hryhorii Hevorkian, Keycloak Dev
Hello Takashi,
looks like there is misunderstanding here.
The purpose of the QWAC accessor so far is
- to be able to parse process special information provided by the QWAC certificate (and tpp-role) and validate it aggainst the requested permission.
- to match the tpp identifier provided by the certificate against the TPP provided EBA registry.
Nowhere do we have the requirement of adding that information to the token.
Of course, to bind the produce token to the tpp certificate, well defined information can be added to the token. But i am not sure this is the right context for the discussion on a sender bound access token.
Hope i could clarify this. Is there any question? Thought? What information would you like to take form the QWAC into the token?
best regards.
/Francis
From: keyclo...@googlegroups.com <keyclo...@googlegroups.com> on behalf of 乗松隆志 / NORIMATSU,TAKASHI <takashi.no...@hitachi.com>
Sent: Friday, February 26, 2021 8:01 AM
To: Hryhorii Hevorkian <h...@golden-dimension.com>; Keycloak Dev <keyclo...@googlegroups.com>
Subject: RE: [keycloak-dev] QWAC certificate validation in Keycloak
Sent: Friday, February 26, 2021 8:01 AM
To: Hryhorii Hevorkian <h...@golden-dimension.com>; Keycloak Dev <keyclo...@googlegroups.com>
Subject: RE: [keycloak-dev] QWAC certificate validation in Keycloak
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/TYAPR01MB42858DCAC160D5A02D3BDFFFCE9D9%40TYAPR01MB4285.jpnprd01.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/TYAPR01MB42858DCAC160D5A02D3BDFFFCE9D9%40TYAPR01MB4285.jpnprd01.prod.outlook.com.
乗松隆志 / NORIMATSU,TAKASHI
Mar 1, 2021, 6:17:33 AM3/1/21
to Francis Pouatcha, Hryhorii Hevorkian, Keycloak Dev
Hello,
Thank you for your clarification. I understood its purpose.
By the way, I’ve listened again to the recording of the breakout web conference held on 5 Feb and recapped it on to the following FAPI-SIG 14th meeting.
If possible, could you check it to find out whether there are some misunderstandings?
page 23
Regards,
Takashi Norimatsu
Hitachi, Ltd.
Francis Pouatcha
Mar 2, 2021, 11:16:42 PM3/2/21
to Keycloak Dev
Hello Takashi,
I do like the QWAC draft. Looks good for me. Let talk about it in today's meeting.
Best regards,
/Francis
Reply all
Reply to author
Forward
0 new messages