Client Certificate is requested

[reluxa]

When the IDP login page is opened the first time the server asks for client certificates. It would be nice if this behavior could be disabled via the config.yaml.

	tlsConfig := &tls.Config{
		Certificates: []tls.Certificate{cert},
		//Some but not all operations will require a client cert
		ClientAuth: tls.VerifyClientCertIfGiven,
		MinVersion: tls.VersionTLS12,
	}

[amdonov]

I agree. However, my primary use case is artifact binding. In that flow, I authenticate service providers by their certificate rather than verifying XML signatures on the requests. I don't think go allows you to prompt for a certificate on one path but not others, but I could be wrong. I'll revisit this and see if I can up come with a solution. I'm open to suggestions.

[shanesiebken]

One approach you can take is by manually verifying that there is a certificate on whichever paths require a certificate. i.e. (pulled from a handler I wrote for testing this same problem):

if len(r.TLS.PeerCertificates) == 0 {
	http.Error(w, "No certificate provided with request", 403)
	log.Debugf("Request with no authorization info or certificate failed authentication")
	return
}

It's far from ideal, and I honestly can't say I'd advocate for that to be added in this project, but @reluxa could fork and take a similar approach.

EDIT: This would be paired with the VerifyClientCertIfGiven config as mentioned in the issue. The whole thing could likely be conditionalized with a handler that only does that check wrapped around in cases where it's desired.

[amdonov]

That's what's happening here.

lite-idp/idp/artifact.go

Line 29 in c7cbf97

// DefaultArtifactResolveHandler is the default implementation for the artifact resolution handler. It can be used as is, wrapped in other handlers, or replaced completely.

Clients are always prompted for a certificate, but it's the only path that requires them. However, clients don't include certificates in the request if we don't at a minimum request them.

[shanesiebken]

Oh, with that said - the suggested suggested client auth configuration ought to behave appropriately. VerifyClientCertIfGiven is a bit misleading, in that it does request a certificate (https://golang.org/pkg/crypto/tls/#ClientAuthType), and verifies it if it's given.

[shanesiebken]

And that said, I saw some odd behavior with that client auth configuration in firefox. I didn't dig around too much in there to understand what was going on, and I can't remember whether or not I verified the behavior on other client auth configs. That's not terribly helpful, but something to potentially be wary of.

[amdonov]

The "suggested" client auth configuration is the current configuration,

lite-idp/idp/tls.go

Line 35 in c7cbf97

ClientAuth: tls.VerifyClientCertIfGiven,

[shanesiebken]

Whew, I had this issue totally backwards in my head. Thanks for clearing that up and sorry for the confusion.

[amdonov]

I'm going to close this issue. @reluxa, If you don't want artifact binding for your use case, you can change the TLS configuration of the IdP by setting the TLSConfig property on the IdP. I realize it means creating your own binary, but I don't want to allow it via configuration change because of the side effects.