From 4a79623e1144929b50715d3e40f1d20fb21088f2 Mon Sep 17 00:00:00 2001 From: Luca Leonardo Scorcia Date: Thu, 3 Dec 2020 11:37:10 -0500 Subject: [PATCH] KEYCLOAK-16456 X509 Auth: add option for OCSP fail-open behavior --- server_admin/topics/authentication/x509.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/server_admin/topics/authentication/x509.adoc b/server_admin/topics/authentication/x509.adoc index aa4fd2a3c6..b7b97afebd 100644 --- a/server_admin/topics/authentication/x509.adoc +++ b/server_admin/topics/authentication/x509.adoc @@ -223,6 +223,9 @@ The path to a file containing a CRL list. The value must be a path to a valid fi *OCSP Checking Enabled*:: Checks the certificate revocation status by using Online Certificate Status Protocol. +*OCSP Fail-Open Behavior*:: +By default the OCSP check must return a positive response in order to continue with a successful authentication. Sometimes however this check can be inconclusive: for example, the OCSP server could be unreachable, overloaded, or the client certificate may not contain an OCSP responder URI. When this setting is turned ON, authentication will be denied only if an explicit negative response is received by the OCSP responder and the certificate is definitely revoked. If a valid OCSP response is not avalaible the authentication attempt will be accepted. + *OCSP Responder URI*:: Override the value of the OCSP responder URI in the certificate.