When the IDP login page is opened the first time the server asks for client certificat

I'm going to close this issue. <a class="user-mention notranslate" data-hovercard-type

That's what's happening here. <div class="

And that said, I saw some <a href="https://stackoverflow.com/question

Client Certificate is requested about lite-idp HOT 8 CLOSED

amdonov commented on June 27, 2024

Client Certificate is requested

from lite-idp.

Comments (8)

amdonov commented on June 27, 2024 1

I'm going to close this issue. @reluxa, If you don't want artifact binding for your use case, you can change the TLS configuration of the IdP by setting the TLSConfig property on the IdP. I realize it means creating your own binary, but I don't want to allow it via configuration change because of the side effects.

from lite-idp.

amdonov commented on June 27, 2024

I agree. However, my primary use case is artifact binding. In that flow, I authenticate service providers by their certificate rather than verifying XML signatures on the requests. I don't think go allows you to prompt for a certificate on one path but not others, but I could be wrong. I'll revisit this and see if I can up come with a solution. I'm open to suggestions.

from lite-idp.

shanesiebken commented on June 27, 2024

One approach you can take is by manually verifying that there is a certificate on whichever paths require a certificate. i.e. (pulled from a handler I wrote for testing this same problem):

if len(r.TLS.PeerCertificates) == 0 {
	http.Error(w, "No certificate provided with request", 403)
	log.Debugf("Request with no authorization info or certificate failed authentication")
	return
}

It's far from ideal, and I honestly can't say I'd advocate for that to be added in this project, but @reluxa could fork and take a similar approach.

EDIT: This would be paired with the VerifyClientCertIfGiven config as mentioned in the issue. The whole thing could likely be conditionalized with a handler that only does that check wrapped around in cases where it's desired.

from lite-idp.

amdonov commented on June 27, 2024

That's what's happening here.

lite-idp/idp/artifact.go

Line 29 in c7cbf97

    
           // DefaultArtifactResolveHandler is the default implementation for the artifact resolution handler. It can be used as is, wrapped in other handlers, or replaced completely.

Clients are always prompted for a certificate, but it's the only path that requires them. However, clients don't include certificates in the request if we don't at a minimum request them.

from lite-idp.

shanesiebken commented on June 27, 2024

Oh, with that said - the suggested suggested client auth configuration ought to behave appropriately. VerifyClientCertIfGiven is a bit misleading, in that it does request a certificate (https://golang.org/pkg/crypto/tls/#ClientAuthType), and verifies it if it's given.

from lite-idp.

shanesiebken commented on June 27, 2024

And that said, I saw some odd behavior with that client auth configuration in firefox. I didn't dig around too much in there to understand what was going on, and I can't remember whether or not I verified the behavior on other client auth configs. That's not terribly helpful, but something to potentially be wary of.

from lite-idp.

amdonov commented on June 27, 2024

The "suggested" client auth configuration is the current configuration,

lite-idp/idp/tls.go

Line 35 in c7cbf97

ClientAuth: tls.VerifyClientCertIfGiven,

from lite-idp.

shanesiebken commented on June 27, 2024

Whew, I had this issue totally backwards in my head. Thanks for clearing that up and sorry for the confusion.

from lite-idp.

Client Certificate is requested about lite-idp HOT 8 CLOSED

Comments (8)

Related Issues (12)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent