Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for client certificate authentication during OAuth 2.0 #4961

Merged
merged 1 commit into from
Nov 21, 2022

Conversation

NicholasMata
Copy link
Contributor

@NicholasMata NicholasMata commented Jul 13, 2022

changelog(Improvements): Added support for Client Certificate Authentication during OAuth 2 fetch token

Adds support for Client Certificate Authentication during the OAuth 2 browser popup. This form for authentication is well known and supported by all major browsers (Safari, Chrome, Edge, etc)

This fix will automatically select the first certificate if there is only a single certificate. If there are multiple valid certificates it will prompt the user to select one.

Screen Shot 2022-07-15 at 2 03 58 AM

Closes #4960 and possibly #1250

@NicholasMata NicholasMata force-pushed the develop branch 2 times, most recently from b134975 to 770677a Compare July 15, 2022 08:57
@filfreire
Copy link
Member

Hi @NicholasMata thanks for contributing this PR and reporting the original issue.

It might take a while for us to look deeply into this PR.

Any chance you can share tips on how to test this PR or resources (e.g. docs, an existing repo, docker container, ...) that would help us experiment with it faster?

@NicholasMata
Copy link
Contributor Author

NicholasMata commented Jul 19, 2022

As far as testing with authentication that returns a token I could set something up but might take a while. I have tested against my own organization's authentication server which I can't give access too.

But to test the functionality of selecting a certificate you can do the following.

Create a new HTTP Request in Insomnia. Then set Auth to OAuth 2.0. Then select Implicit for Grant Type and https://server.cryptomix.com/secure/ for Authorization Url. Then you can go a head and Fetch Tokens. With this PR you will see a popup window to select a certificate when you have more than one valid certificate available. Then you will see the site show the certificate information for the one that you selected. It won't return a token as I mentioned before I can setup an authentication server if needed.

https://server.cryptomix.com/secure/ will require you to select a certificate and it will display all the information about the certificate you selected. You can test it in any browser as well.

If you need to create a certificate you can do the following on macOS. Unfortunately I am not sure the steps for Windows off the top of my head.

  1. Open up Keychain
  2. Select "Keychain" at the top left of the screen.
  3. Hover over "Certificate Assistant"
  4. Select "Create a Certificate..."
  5. Name it whatever you want
  6. Set "Identity Type" to "Self Signed Root"
  7. Set "Certificate Type" to "SSL Client"
  8. Then you can "Create" it.

@wongstein
Copy link
Contributor

wongstein commented Aug 23, 2022

Ah, I can confirm that the PR does what it purports. Following the instructions given, here is what latest 2022.5.1 Insomnia gives (no option to select certificate)
Screen Shot 2022-08-23 at 7 56 46 AM

And here's the PR's options to select a certificate
Screen Shot 2022-08-23 at 7 55 31 AM

Copy link
Member

@filfreire filfreire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally on MacOS, LGTM

image

On Windows I've tried and seems I can't get the select-client-certificate to get triggered for now.

Copy link
Member

@filfreire filfreire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also managed to test it properly on windows, seems to work fine
Untitled

@filfreire filfreire enabled auto-merge (squash) November 21, 2022 15:34
@filfreire filfreire merged commit 7c43fd5 into Kong:develop Nov 21, 2022
pavkout pushed a commit to pavkout/insomnia that referenced this pull request Jan 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Client Certificate Authentication During OAuth 2.0
3 participants