readme cleanup

Signed-off-by: Tero Saarni <[email protected]>
Nordix · Oct 31, 2024 · b08d8c0 · b08d8c0
1 parent 29941fa
commit b08d8c0
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -65,7 +65,7 @@ For more information on this, refer to [Understanding Client Certificate Forward
 Prerequisites:
 
 * Envoy must use TLS and client certificate authentication for its connection to Keycloak.
-* X509 client certificate lookup SPI for Envoy proxy must be configured with the list of expected subject names for clients that are allowed to send XFCC headers.
+* X509 Client Certificate Lookup for Envoy must be configured with the list of expected subject names for clients that are allowed to send XFCC headers.
 
 The list is configured as a command line parameter to `kc.sh` in the following format:
 

diff --git a/docs/security-and-client-cert-forwarding.md b/docs/security-and-client-cert-forwarding.md
@@ -22,13 +22,13 @@ Keycloak then uses the certificate for authorization purposes.
 
 Pre-conditions:
 
-- Keycloak is configured with the X509 client certificate lookup SPI for Envoy proxy.
+- Keycloak is configured with the X509 Client Certificate Lookup for Envoy.
 - A client is created to Keycloak with "X509 client certificate" client authenticator enabled.
 - A client running inside Kubernetes cluster connects to Keycloak directly, without going through the Envoy proxy, using mutually authenticated TLS.
 
 Scenario:
 
-Authentication fails because the SPI implementation expects the identity from the XFCC header, which is not set for internal clients.
+Authentication fails because X509 Client Certificate Lookup for Envoy expects the identity from the XFCC header, which is not set for internal clients.
 The client certificate information from the TLS layer is not used.
 
 ![image](assets/xfcc-scenario-1.drawio.svg)
@@ -37,7 +37,7 @@ The client certificate information from the TLS layer is not used.
 
 Pre-conditions:
 
-- Keycloak is configured with the X509 client certificate lookup SPI for Envoy proxy.
+- Keycloak is configured with the X509 Client Certificate Lookup for Envoy.
 - A client is created to Keycloak with "X509 client certificate" client authenticator enabled.
 - A malicious user has acquired (1) the client ID and (2) the subject name of the client certificate.
 - Malicious user has gained access to the cluster e.g., through a compromised pod.
@@ -52,11 +52,11 @@ The forged certificate can be self-generated by the malicious user, as long as i
 
 ## Authorizing the XFCC Header
 
-The following diagram demonstrates the logic implemented by the [X509 client certificate lookup SPI for Envoy proxy](https://github.com/Nordix/keycloak-client-cert-lookup-for-envoy) for authorizing the the use of XFCC headers.
+The following diagram demonstrates the logic implemented by the [X509 Client Certificate Lookup for Envoy](https://github.com/Nordix/keycloak-client-cert-lookup-for-envoy) for authorizing the the use of XFCC headers.
 This mechanism is designed to accept client certificates forwarded by the Envoy proxy in XFCC header, while also securely handling clients that bypass the proxy and connect directly to Keycloak.
 These direct clients are authenticated and authorized using their TLS-level client certificates or other authenticators (e.g. client secret) and are prevented from impersonating other clients by sending unauthorized XFCC headers.
 
 For this mitigation to be effective, Envoy must be configured to use TLS and client certificate authentication for its connection to Keycloak.
-Additionally, the X509 client certificate lookup SPI must be configured with the expected client certificate subject names for Envoy proxy.
+Additionally, X509 Client Certificate Lookup for Envoy must be configured with the expected client certificate subject names for Envoy proxy.
 
 ![image](assets/client-authorization-flow.drawio.svg)