libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-16456 X509 Auth: add option for OCSP fail-open behavior

Browse source
This commit is contained in:
Luca Leonardo Scorcia 2020-12-03 11:37:10 -05:00 committed by Marek Posolda
parent c0dc9743c9
commit 4a79623e11
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
server_admin/topics/authentication/x509.adoc
View file

@ -223,6 +223,9 @@ The path to a file containing a CRL list. The value must be a path to a valid fi
*OCSP Checking Enabled*:: *OCSP Checking Enabled*::
Checks the certificate revocation status by using Online Certificate Status Protocol. Checks the certificate revocation status by using Online Certificate Status Protocol.
*OCSP Fail-Open Behavior*::
By default the OCSP check must return a positive response in order to continue with a successful authentication. Sometimes however this check can be inconclusive: for example, the OCSP server could be unreachable, overloaded, or the client certificate may not contain an OCSP responder URI. When this setting is turned ON, authentication will be denied only if an explicit negative response is received by the OCSP responder and the certificate is definitely revoked. If a valid OCSP response is not avalaible the authentication attempt will be accepted.
*OCSP Responder URI*:: *OCSP Responder URI*::
Override the value of the OCSP responder URI in the certificate. Override the value of the OCSP responder URI in the certificate.