Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Client TLS identity extraction and assertion directives #4360

Merged
merged 7 commits into from
Mar 26, 2024
Merged

feat: Client TLS identity extraction and assertion directives #4360

merged 7 commits into from
Mar 26, 2024

Conversation

johanandren
Copy link
Member

No description provided.

@johanandren
Copy link
Member Author

@jroper would be great if you could take a peek at the directives and see if this is something that you envisioned, or tell me if I'm completely off.

@johanandren
Copy link
Member Author

After thinking about it a bit: I guess a single "require" directive that matches on CN and SAN would maybe make more sense than the separate ones I've created now. And maybe also extractors the values for arbitrary logic, and pulling those back to utilities that we can use from Akka gRPC as well.

@jroper
Copy link
Contributor

jroper commented Mar 5, 2024

It looks good to me. It's really hard to say what we should provide in terms of matching the CN vs SAN. Common Names have been deprecated for HTTPS server certificates for almost 25 years. But for client certificates, there's just no standard out there as to what a client certificate should use to identify itself. I think most common would be some sort of DNS value, but should that be in the CN or the SAN?

I think a simple API that matches both CN and SAN may satisfy 95+% of use cases, and a lower level power API will deal with the rest - the directive to extract the certificate is probably enough.

@johanandren johanandren marked this pull request as ready for review March 7, 2024 16:48
@johanandren
Copy link
Member Author

Ready for final review

efgpinto
efgpinto approved these changes Mar 25, 2024
View reviewed changes
Copy link
Contributor

@efgpinto efgpinto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not very knowledgeable on this, but LGTM. Small note on docs.

docs/src/main/paradox/routing-dsl/directives/tls-directives/extractClientCertificate.md Outdated Show resolved Hide resolved
@johanandren johanandren merged commit d53124e into main Mar 26, 2024
8 checks passed
@johanandren johanandren deleted the wip-tls-identity-assertions branch March 26, 2024 12:13
@johanandren johanandren added this to the 10.6.2 milestone Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efgpinto efgpinto efgpinto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
10.6.2
Development

Successfully merging this pull request may close these issues.
3 participants
@johanandren @jroper @efgpinto