previous X509 auth result contains subject with no public credentials

Cantor, Scott cantor.2 at
Mon Nov 23 16:33:51 UTC 2020

On 11/23/20, 11:15 AM, "users on behalf of Bobby Lawrence" <users-bounces at on behalf of robertl at> wrote:

>    I've seen the merging function and I will look into creating a custom one as I've seen if the password flow is skipped (I
> have x509 available as an 'extended' password flow option), then I'm in the same boat....the UsernamePrincipal doesn't
> exist so the X500Principal is the only one that can be used for subject canonicalization and after the first auth, there is no
> certificate in the subject to fetch the alternative names from.

Right. If Password was used, the merged Subject will include the simple-compatible Principal but if it's not used, and X.509 gets reused, you'll get a Subject without anything in it to base the c14n on.

-- Scott

More information about the users mailing list