[Security] [Authenticator] X509 authenticator should can use CN as UserIdentifier #47354
Comments
fabpot
added a commit
that referenced
this issue
Dec 18, 2022
…nticator (Spomky) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- [Security] Allow custom user identifier for X509 authenticator | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | Fix #47354 | License | MIT | Doc PR | **to be created** This PR allows defining a custom user identifier instead of the hardcoded `emailAddress`. It also adds a new option for the firewall configuration: ```yaml # config/packages/security.yaml security: # ... firewalls: main: # ... x509: provider: your_user_provider user_identifier: CN # default to emailAddress ``` **💬 Discussion**: user identifier regex changed Note that the regex is changed. The previous one was able to find an email address as expected, but now that the common name may not contain a `@` (or may contain more than one), it is required to update this part. It does not impact the previously merged PR #33759, but I prefer highlight the fact that it can now catch invalid email addresses set in `emailAddress`. Commits ------- 6479653 [Security] Allow custom user identifier for X509 authenticator
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Acutally in the
Symfony\Component\Security\Http\Authenticator\X509Authenticator, theuserIdentifieris always theemailAdresspart of the TLS subject:In some case, we do not identify user by their email address and prefer use the
CN(Common Name) as identifier, because our users do not have email, or the x509 Client Certificate do not contains email (eg: in case of Caddy server, the emailAddress is not part of the TLS Subject).Is it better to add a parameter to defined the subject field (eg: CN or emailAddress) we want ? But it can cause trouble in case of Apache, because the
userKey(aka: field extract from tls subject) parameter contains theSSL_CLIENT_S_DN_Emailfastcgi env (Apache only).In the case of Caddy or Nginx, the HTTP server only return the
SSL_CLIENT_S_DNfastcgi env (do not split the string and extract CN or emailAddress), and the Authenticator try to extract it from thecredentialsKeyparameter (aka tls subject).Actual x509 config:
SSL_CLIENT_S_DN_Email(Apache) => Email part from the TLS SubjectSSL_CLIENT_S_DN(All HTTP server) => TLS SubjectExample
No response
The text was updated successfully, but these errors were encountered: