x509 issues

[UnicornChance]

First Issue:

Occasionally when using a CAC, the pop up that displays user info from the CAC is empty string.

Steps to reproduce

1. new registration with saml and new pki
2. login with google
3. next page should be a DoD PKI Detected and display "No Certificate"

Expected result

Should always show the users info instead of "No Certificate"

Additional Context

After initial login the attribute hasn't been added to user yet and so it shows "No Certificate", however if you log out and back in it shows correctly.

Second issue:

Another issue is that the registration CaC flow shows an email that doesnt mean anything to humans. Should look into extracting different user data from cac in the them, registry.ftl cacIdentity field.

Third issue:

with cac present and forgot password the email is autofilled to be something from the cac that isn't relevant and should be users email if autofiled, although we probably dont have that so nothing should be autofilled.

Fourth issue:

password reset page shows help@dsop.mil

Completion

Have @bburky review code changes.

[UnicornChance]

Issue 1: not sure what to do here considering this is an expected outcome of current implementation. Upon clicking the continue button the user attribute is created linking the x509 cert to the user in the usercertificate attribute. So the first time the login-x509-info page is shown the user wont have the correct attributes for populating this field. Maybe change the message to be something more helpful or remove it altogether?

Issue 2: no progress, need to change the info being extracted from x509 to get the CN instead of the UPN

Issue 3: Adding the login-reset-password.ftl theme file so that we can control the autofil functionality that comes default with keycloak theme

Issue 4: Do we have an email we want to substitute here? or should we just remove that portion of the message and inform users to contact their admins.

[bburky]

the CN displayed for 4 good and is actually the text we probably want to see everywhere.

• The issue with 4, is that it when clicking a reset password button, it doesn't really make sense to display the "PKI detected" box at all. It's a pretty minor issue though and can probably be ignored.
• Separately, the dsop email needs to be removed. I suppose we could have a default text of "contact your administrator or something. Can we let the text be configurable during deployment?

[bburky]

For issue 2, we intentionally extract the UPN to store into the database during registration. Please don't change that.

However, it probably makes sense to display the CN to the user instead of the UPN. Possibly just update the code to extract both the CN and UPN.

[UnicornChance]

re: "make login help message configurable" unfortunately this is defined in the messages_en.properties file which is not configurable in the sense of env vars or something else. A couple solutions could be implementing the .ftl file that this actually lives in and controlling it from there with a env variable or just documenting how to supply different messages_en.properties files.

My thought is to write up an issue to address this, remove the reference to the dsop email, and come back to it later.

https://github.com/defenseunicorns/uds-identity-config/issues/132