[WIP] PKI (two way TLS) auth support #1181
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NOTE: This PR is meant to be more for discussion than for merging in this code as it stands.
At @DecipherNow, we have many clients that have a sizable investment in two way SSL/TLS. Rather than having every web app authenticate via their PKI, there's an interest in moving to a setup where they can auth via PKI once to receive an OAuth/OIDC token, and then use that token to authenticate with each web app, using an
user_dn
claim to pass along the user's Distinguished Name (taken from the cert their browser presented).The code presented in this PR represents the simplest approach I could find to make this possible, so there are some obvious changes (in the works) e.g. to make corresponding changes to the config options, etc. I'm currently abusing the
PasswordConnector
, as it was easier to implement this while making minimal changes to the existing code, and allowing the (existing) types to guide the implementation.With those warts aside, there's still the open question: what to do about custom claims (e.g.
user_dn
)?Adding the
user_dn
claim required touching a number ofstruct
s and tweaking the tables/queries In the SQL backend (storage/sql/crud.go
).TL;DR: Would there be interest in an architectural change that would allow for each of the backends supporting any arbitrary set of (potentially user defined) claims? If so, @DecipherNow would like to allocate resources to make the required changes.
If that's something that we could upstream, I'd love to chat about how to proceed design-wise - whether here, IRC, Slack, or whatever works best for you.