lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

authentication type "tls_client_auth_subject_dn" support as feature request

Open freegroup opened this issue 4 years ago • 5 comments

Currently lua-resty-openidc supports for authentication to the IDP ["client_secret_basic" | "client_secret_post" | "private_key_jwt" | "client_secret_jwt"].

Is there any way to extend or implement a hook to support tls_client_auth_subject_dn as authentication method to our IDP?

Best Reagards

Andreas

freegroup avatar Jul 23 '20 12:07 freegroup

As the code currently stands this is not possible. Right now the authentication methods are hard-coded (the supported_token_auth_methods dicitonary and the body of openidc.call_token_endpoint) but it should be possible to refactor the code to make this extensible. I can help with hints if anybody wants to give it a try.

bodewig avatar Jul 24 '20 16:07 bodewig

this would be great. We need this mTLS feature, but without a little bit guidance and support it seems to be a hard job. One problem seems to be to inject the cert into the httpc:request_uri.

I know, that it is possible to use mTLS for upstream connections with proxy_ssl_certificate and proxy_ssl_certificate_key. The code is already implemented for mTLS....but using them in the OIDC flow - no idea to start.

the call_token_endpoint ends in https://github.com/ledgetech/lua-resty-http/blob/master/lib/resty/http.lua#L657 but maybe the the http module is not the right one for mTLS..

freegroup avatar Jul 24 '20 17:07 freegroup

making the set of authentication methods extensible is probably not difficult. We could add module level functions that modify supported_token_auth_methods and instead of storing true there we'd make the value a function containing the implementation (or a dictionary containing more than one function).

The current implementations augment headers or the body of the request but for mtls you'd need access to the lua-resty-http instance itself.

I must admit I haven't even looked at whether it supports client certificates at all so far. So maybe my "should be possible" and the offer to provide hints have been a bit premature :-) Need to look into the mechanism used there myself.

bodewig avatar Jul 24 '20 18:07 bodewig

Hi

thanks for your response and support.

Currently we have the need to support mTLS for the token exchange. We don't like to make any kind of pressure but do you have any schedule in mind?

Can we support you with development or testing resources? Because we have already the infrastructure up and running this could help to bring the project further.

best regards

Andreas

freegroup avatar Jul 27 '20 09:07 freegroup

I'm working on lua-resty-openidc during my spare time - as one of several open source projects I'm involved in. Don't worry, I don't feel pushed, am just trying to manage expectations :-)

Having said that, I have zero experience with the setup of a client certificate for outgoing requests from within the nginx Lua module. It might even be this is not doable at all given the provided APIs. I'm not in a better position to implement the feature than most any other developer.

Once I find time to look into this issue and if I happen to find a solution, then help with testing would be great.

A better solution probably would be to find somebody else with more experience in said area or just more spare cycles. If I knew how to set up a client certificate for use with lua-resty-http (or - worse - something more low level) then I could probably make it work with lua-resty-openidc rather quickly.

bodewig avatar Jul 27 '20 10:07 bodewig