hydra
hydra copied to clipboard
ory
mTLS for admin/public interfaces
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] This issue affects my Ory Network project.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe your problem
We would like to have mTLS option for both the admin and public interfaces.
Describe your ideal solution
Introduce configurable ClientAuth and ClientCAs in server handler tls configuration.
Configuration:
serve.public.tls.client_ca: /path/to/file.pem
serve.admin.tls.client_ca: /path/to/file.pem
when specified, then ClientAuth would be set to ClientAuthType.RequireAndVerifyClientCert
Version
2.x
Additional Context
Willing to help implementing it if necessary!
Thanks for filing this @aarmam! @zepatrik I'd love your opinion here as we're working on improvements to API keys and PAKs. Would mTLS be possible to implement in this context?
There are many ways to do service authentication. While mTLS definitely is one of the most common, we would like to keep this complexity out of our services and rather recommend to offload this to a sidecar. Hydra would then only listen on localhost and therefore be only available through the sidecar. The complexity comes when you require multiple CAs with different priviledges, need CA rotation, ....
A sidecar approach allows anyone to use any kind of auth, not just mTLS. Does that answer your question @aarmam?
I agree with Patrik here - mTLS (termination) should be done in envoy or another ingress proxy. Solving this in Hydra will have a lot of complexity - from different TLS modes to CAs, self signed certs, and so on :)
I think mTLS is a reasonable request. The only difficulty in the implementation would be auto-reloading the client CAs from disk.
@aarmam after internal discussion, we won't be prioritizing mTLS support on our end. We'd be happy to review a PR if you'd like to contribute it though!
Before contributing please read through https://github.com/ory/fosite/issues/661 :)
Hello contributors!
I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue
- open a PR referencing and resolving the issue;
- leave a comment on it and discuss ideas on how you could contribute towards resolving it;
- leave a comment and describe in detail why this issue is critical for your use case;
- open a new issue with updated details and a plan for resolving the issue.
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.
Unfortunately, burnout has become a topic of concern amongst open-source projects.
It can lead to severe personal and health issues as well as opening catastrophic attack vectors.
The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.
If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.
Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!
Thank you 🙏✌️
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}