Skip to content

[Security] Allow custom user identifier for X509 authenticator #48200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 18, 2022
Merged

[Security] Allow custom user identifier for X509 authenticator #48200

merged 1 commit into from
Dec 18, 2022

Conversation

Spomky
Copy link
Contributor

@Spomky Spomky commented Nov 11, 2022
edited by nicolas-grekas
Loading

Q A
Branch? 6.3
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #47354
License MIT
Doc PR to be created

This PR allows defining a custom user identifier instead of the hardcoded emailAddress.
It also adds a new option for the firewall configuration:

# config/packages/security.yaml
security:
    # ...

    firewalls:
        main:
            # ...
            x509:
                provider: your_user_provider
                user_identifier: CN # default to emailAddress

💬 Discussion: user identifier regex changed
Note that the regex is changed. The previous one was able to find an email address as expected, but now that the common name may not contain a @ (or may contain more than one), it is required to update this part.
It does not impact the previously merged PR #33759, but I prefer highlight the fact that it can now catch invalid email addresses set in emailAddress.

@carsonbot carsonbot added this to the 6.2 milestone Nov 11, 2022
@nicolas-grekas nicolas-grekas modified the milestones: 6.2, 6.3 Nov 14, 2022
@symfony symfony deleted a comment from carsonbot Nov 14, 2022
@carsonbot carsonbot changed the title Allow custom user identifier for X509 authenticator [Security] Allow custom user identifier for X509 authenticator Nov 14, 2022
nicolas-grekas
nicolas-grekas approved these changes Dec 16, 2022
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor thing and good to go on my side, thanks.

@fabpot
Copy link
Member

fabpot commented Dec 18, 2022

Thank you @Spomky.

@fabpot fabpot merged commit c6c300c into symfony:6.3 Dec 18, 2022
@fabpot fabpot mentioned this pull request Dec 18, 2022
Closed
@Spomky Spomky deleted the features/x509-cn branch December 18, 2022 10:25
@Spomky Spomky mentioned this pull request Jan 31, 2023
Closed
@fabpot fabpot mentioned this pull request May 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@wouterj wouterj Awaiting requested review from wouterj

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.

[Security] [Authenticator] X509 authenticator should can use CN as UserIdentifier
4 participants
@Spomky @fabpot @nicolas-grekas @carsonbot