Support client tokens for authentication

[stgraber]

The current TLS support is nice, but it has the downside of pushing users towards generating one client certificate per LXD server.
This then gets them into the annoying authentication flow of having to figure out which certificate to select in their browser.

Instead it may be interesting to support LXD's token based authentication where the user would basically:

• Hit up /ui
• UI detects that no client certificate is used (not sure if possible), then offers to generate a PFX for the user
• UI instructs user to do lxc config trust add --name some-name on the LXD server
• UI takes in the token string provided by the user and adds the browser's certificate to the target LXD's trust store

In this scenario, the user never needs to pass a .crt to the server and they can also rely on a single certificate per browser instead of per server.

[edlerd]

I think I understand what you mean partly: The process to generate certificates will let the user download the pfx file and import that to the browser. Adding the cert to the trust store will happen via the http API - directly from the browser. To allow that, we let users authenticate once (for the post to 1.0/certificates) via a password that is coming from the lxd cli.

What I don't understand is reuse of an existing certificate for another server. We need to share the certificate from one lxd-ui instance to another one. We need the certificate on a new instance for the post to 1.0/certificates. But I don't see how we'd share the certificate, if the user can't download it. Could you clarify this bit, or did I misunderstand the proposed process?

[edlerd]

Fixed with #374