Skip to content

curityio/mutual-tls-api-example

Repository files navigation

Mutual TLS Secured API Code Example

Quality Availability

A code example to demonstrate Mutual TLS infrastructure and use of certificate bound access tokens.

B2B APIs

Mutual TLS is commonly used for APIs between business partners, including in Open Banking setups:

Sequence

Walkthrough

The Mutual TLS API Code Example Article explains the technical behavior and setup.

Quick Start

First create certificates for testing:

./1-create-certs.sh

Then build the code:

./2-build.sh

Then deploy the Mutual TLS endpoints:

./3-deploy.sh

Then authenticate via Mutual TLS and call the API over a Mutual TLS channel:

./4-run-client.sh

For troubleshooting view the logs by running one or more of the following commands:

./5-view-logs.sh api
./5-view-logs.sh identity-server
./5-view-logs.sh reverse-proxy

Security Workflow

The code example enables the security workflow to be easily run on a development computer:

Client Behavior

  • The client authenticates using the OAuth Client Credentials Grant with a Client Certiticate credential
  • The client then receives an opaque access token and sends it to the API, using Mutual TLS and the token

Reverse Proxy and Mutual TLS Termination

  • For OAuth requests the Mutual TLS verification is done by the Curity Identity Server
  • For API requests the Mutual TLS verification is done by the reverse proxy

Curity Identity Server

  • A dedicated endpoint is used for Mutual TLS connections, which avoids impacting other clients
  • Access tokens are issued with a cnf claim containing the SHA256 thumbprint of the client's certificate

Certificate Bound Token Verification

  • During API requests the reverse proxy introspects the opaque token from the client to get the token in JWT format
  • The reverse proxy then verifies that the JWT's cnf claim matches the thumbprint of the request's client certificate

Teardown

Once you're done testing out the solution run

./6-teardown.sh

to remove all the project's containers.

More Information

Please visit curity.io for more information about the Curity Identity Server.