Auth-Callout: use both client_certs and username/password #5119

mcosta74 · 2024-02-22T10:54:01Z

mcosta74
Feb 22, 2024

Is there a way to configure the server in order to forward client certs to the auth_callout service also when tls { verify: false} ?

At the moment I have a configuration like

tls: {
    cert_file: "./certs/nats_server.crt"
    key_file: "./certs/nats_server.key"
    ca_file: "./certs/ca_for_clients.crt"
    verify: false
}

accounts {
  AUTH {
    users: [
      { nkey: <user_nkey> }
    ]
  }
  APP {}
  SYS {}
}


authorization {
  auth_callout {
    issuer: <issuer_nkey>
    users: [ <user_nkey> ]
    account: AUTH
  }
}


system_account: SYS

now, when i try to do

nats -user foo -password bar pub foo 'bar'

the auth callout service gets

"connect_opts": {
      "user": "foo",
      "pass": "bar",
      "name": "NATS CLI Version 0.1.1",
      "lang": "go",
      "version": "1.30.0",
      "protocol": 1
},
"client_tls": {
      "version": "1.3",
      "cipher": "TLS_AES_128_GCM_SHA256"
},

in the request claims

while if I run

nats --tlscert <cert_file> --tlskey <key_file> --tlsca <ca_file> bar pub foo 'bar'

The auth-callout svc receives this

"connect_opts": {
      "name": "NATS CLI Version 0.1.1",
      "lang": "go",
      "version": "1.30.0",
      "protocol": 1
},
"client_tls": {
      "version": "1.3",
      "cipher": "TLS_AES_128_GCM_SHA256"
},

So there's no info about certs provided by the client

So the main goal is to have a single NATS server instance that allows (using auth-callout) to authentica via username/password AND client certs

Answered by aricart

Feb 26, 2024

If you want the server to look at the certs, verify has to be enabled. - if you think about it, this way there's the protection that the certs are valid.

View full answer

aricart · 2024-02-26T12:52:31Z

aricart
Feb 26, 2024
Collaborator

If you want the server to look at the certs, verify has to be enabled. - if you think about it, this way there's the protection that the certs are valid.

0 replies

aricart · 2024-02-26T13:07:35Z

aricart
Feb 26, 2024
Collaborator

To further expand. The callout and the server configuration may not be in sync. This basically becomes a promise to the callout that the certs are valid. The callout can then do additional work, but at the very least, it can ensure that the client-provided certs are valid from a TLS perspective.

1 reply

mcosta74 Feb 26, 2024
Author

does it means that if I wanna have a client authenticated either via username/password and client certs I still need two instances of NATS server; right ?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auth-Callout: use both client_certs and username/password #5119

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Auth-Callout: use both client_certs and username/password #5119

mcosta74 Feb 22, 2024

Replies: 2 comments · 1 reply

aricart Feb 26, 2024 Collaborator

aricart Feb 26, 2024 Collaborator

mcosta74 Feb 26, 2024 Author

mcosta74
Feb 22, 2024

Replies: 2 comments 1 reply

aricart
Feb 26, 2024
Collaborator

aricart
Feb 26, 2024
Collaborator

mcosta74 Feb 26, 2024
Author