Support for mapping user from TLS client certificate #865
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows a client certificate to identify a user in the NATS system. This is currently a boolen extension to verify,
verify_and_map: true
Generally this should be an email and be part of the extended syntax for Subject in the certificate, or what is preferred as SubjectAltName designation. Hence using a simple boolean. If need be we can make it a bool or string in the future if we need to customize how the user is pulled from the cert.
Subject CN
Subject: C=US, ST=CA, L=LA, O=Synadia, OU=NATS.io, CN=localhost/emailAddress=derek@nats.io
SubjectAltName
Go will treat these as per the spec with SubjectAltName being preferred.
Signed-off-by: Derek Collison derek@nats.io
/cc @nats-io/core