caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard

Published 20 hours ago verified publisher icon greenpau

question: x509 authentication

Open ainesophaur opened this issue 3 years ago • 1 comments

First, but unrelated to the topic, thank you for all of your amazing projects. I recently came across the thread which inspired you to write caddy-git, and your candor and contributions to the community are such a breath of fresh air.

Back on topic :)

I came across the x509 authp document which has a TODO. Which I wasn't sure if it was a TODO to write the documentation or the implementation and documentation.

I checked into the go-authcrunch (btw, I love the split from the original auth-portal..I love the fact that it could be included with my Gin projects :heart_on_fire:) and I couldn't find any implementations for x509 auth.

I'm in the planning phase for a project, for which x509 auth with caddy-security would be a wonderful fit.

I was curious if the ldap backend would be a good place for me to to start with writing a x509 implementation. I would love to contribute any work back (if we go this route), but I wanted to see if you had any previous requirements, hurdles or issues with an x509 backend that I could keep into consideration when contributing back.

ainesophaur avatar Jan 25 '22 15:01 ainesophaur

First, but unrelated to the topic, thank you for all of your amazing projects. I recently came across the thread which inspired you to write caddy-git, and your candor and contributions to the community are such a breath of fresh air.

@ainesophaur , thank you for the kind words 👍 please consider https://github.com/greenpau/caddy-security/issues/14#issue-1111599735

I came across the x509 authp document which has a TODO. Which I wasn't sure if it was a TODO to write the documentation or the implementation and documentation.

There are two types of possible x509 implementation.

  1. Session-based (TLS) at the connection level
  2. App-based at the HTTP app level.

The one I had in mind for Caddy is the "app-based". A user goes to portal, inputs username/email, gets dropped to "sandbox", and presented with a challenge. The sandbox triggers client side javascript and user performs actions that utilize local certificate store. So ... I started experimenting with the Javascript, but did not get to complete.

The "session-based" implementation was not in the books, because caddy and code were packages as one. Now, when it is separate, this could be done (and then used with non-Caddy frameworks). Note: I think Caddy already has x509 auth implementation.

greenpau avatar Jan 25 '22 15:01 greenpau