Skip to content

[Security] X509 user_identifier parameter #17582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 13, 2023
Merged

[Security] X509 user_identifier parameter #17582

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion reference/configuration/security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -666,6 +666,7 @@ X.509 Authentication
provider: your_user_provider
user: SSL_CLIENT_S_DN_Email
credentials: SSL_CLIENT_S_DN
user_identifier: emailAddress

.. code-block:: xml

Expand All @@ -687,6 +688,7 @@ X.509 Authentication
<x509 provider="your_user_provider"
user="SSL_CLIENT_S_DN_Email"
credentials="SSL_CLIENT_S_DN"
user_identifier="emailAddress"
/>
</firewall>
</config>
Expand All @@ -703,6 +705,7 @@ X.509 Authentication
->provider('your_user_provider')
->user('SSL_CLIENT_S_DN_Email')
->credentials('SSL_CLIENT_S_DN')
->user_identifier('emailAddress')
;
};

Expand All @@ -723,7 +726,18 @@ If the ``user`` parameter is not available, the name of the ``$_SERVER``
parameter containing the full "distinguished name" of the certificate
(exposed by e.g. Nginx).

Symfony identifies the value following ``emailAddress=`` in this parameter.
By default, Symfony identifies the value following ``emailAddress=`` in this parameter.
This can be changed using the ``user_identifier`` parameter.

user_identifier
...........

**type**: ``string`` **default**: ``emailAddress``

The ``user_identifier`` parameter is used to find the user identifier in the
"distinguished name" e.g. ``Subject: C=FR, O=My Organization, CN=user1, [email protected]``.

By setting this parameter to ``CN``, the returned user identifier will be the "Common Name" ``user1``

.. _reference-security-firewall-remote-user:

Expand Down
8 changes: 4 additions & 4 deletions security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1314,11 +1314,11 @@ ways:
#. First, it tries the ``SSL_CLIENT_S_DN_Email`` server parameter, which is
exposed by Apache;
#. If it is not set (e.g. when using Nginx), it uses ``SSL_CLIENT_S_DN`` and
matches the value following ``emailAddress=``.
matches the value following ``emailAddress``.

You can customize the name of both parameters under the ``x509`` key. See
:ref:`the configuration reference <reference-security-firewall-x509>` for
more details.
You can customize the name of the three parameters under the ``x509`` key.
See :ref:`the configuration reference <reference-security-firewall-x509>`
for more details.

Remote Users
~~~~~~~~~~~~
Expand Down