A code example to demonstrate Mutual TLS infrastructure and use of certificate bound access tokens.
Mutual TLS is commonly used for APIs between business partners, including in Open Banking setups:
The Mutual TLS API Code Example Article explains the technical behavior and setup.
First create certificates for testing:
./1-create-certs.sh
Then build the code:
./2-build.sh
Then deploy the Mutual TLS endpoints:
./3-deploy.sh
Then authenticate via Mutual TLS and call the API over a Mutual TLS channel:
./4-run-client.sh
For troubleshooting view the logs by running one or more of the following commands:
./5-view-logs.sh api
./5-view-logs.sh identity-server
./5-view-logs.sh reverse-proxy
The code example enables the security workflow to be easily run on a development computer:
- The client authenticates using the OAuth Client Credentials Grant with a Client Certiticate credential
- The client then receives an opaque access token and sends it to the API, using Mutual TLS and the token
- For OAuth requests the Mutual TLS verification is done by the Curity Identity Server
- For API requests the Mutual TLS verification is done by the reverse proxy
- A dedicated endpoint is used for Mutual TLS connections, which avoids impacting other clients
- Access tokens are issued with a
cnf
claim containing the SHA256 thumbprint of the client's certificate
- During API requests the reverse proxy introspects the opaque token from the client to get the token in JWT format
- The reverse proxy then verifies that the JWT's
cnf
claim matches the thumbprint of the request's client certificate
Once you're done testing out the solution run
./6-teardown.sh
to remove all the project's containers.
Please visit curity.io for more information about the Curity Identity Server.