You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If client_ca or tls_downstream_client_ca were set in config, Pomerium prompted to select client cerificate twice when user accessed application services behind on pomerium.
For the 1st prompt to select client certificate, the Pomerium should verify the client certificate at very beginning when user request to access. However, Pomerium showed the 2nd prompt to select client certificate when redirecting to authenticate URL, and Pomerium ignored the selection (cancel prompt, or select any client certificate) that Pomerium was regardless the user choice. The interaction is poor user experiences.
In addition, Pomerium also prompt to select client cerificate twice when user accessed any other route if tls_downstream_client_ca was set at specific route in config.
What did you expect to happen?
Pomerium should prompt user for client cerificate only once, and Pomerium should not prompt the second item that is meaningless in using mTLS scenarios.
How'd it happen?
Set client-ca or tls_downstream_client_ca in Pomerium config
Access an application URL, pomerium will prompt user for client cerificate (have to select vaild certificate)
Redirect to authenticate URL, pomerium will always prompt user for client cerificate again
This is indeed a limitation of our current mTLS implementation: Pomerium applies the same mTLS validation settings across all configured domains (including the authenticate service domain), so the browser will generally prompt for a client certificate for each separate domain.
It's not clear to me how we could avoid this behavior. We could potentially move the authenticate domain to its own separate Envoy filter chain, and avoid setting any downstream validation context there, but then we may run into other issues. For example, if a user were to visit the authenticate domain directly, and then a user-defined Pomerium route, the browser may attempt to reuse the first connection,1 which would likely not trigger a prompt for a client certificate, instead resulting in an error page.
Also note that some of our other customers explicitly want mTLS validation to apply to the authenticate service as well as any other Pomerium routes.
@gp666, is the current behavior a deal-breaker for your organization, or more of an annoyance that you can live with? Do you have any way to apply a device policy to your users' browsers to automatically select the correct client certificate? (For example, Chrome provides an AutoSelectCertificateForUrls policy that looks like it might help with this situation.)
Apologies for the delay. I can understand that the authenticate domain have the requirement of mTLS vaildation.
But in current version, the mTLS vaildation of the authenticate service may not work when accessed the authenticate domain directly and selected any choices(cancel prompt, or select any client certificate). (Setting client_ca in config)
What happened?
If
client_ca
ortls_downstream_client_ca
were set in config, Pomerium prompted to select client cerificate twice when user accessed application services behind on pomerium.For the 1st prompt to select client certificate, the Pomerium should verify the client certificate at very beginning when user request to access. However, Pomerium showed the 2nd prompt to select client certificate when redirecting to authenticate URL, and Pomerium ignored the selection (cancel prompt, or select any client certificate) that Pomerium was regardless the user choice. The interaction is poor user experiences.
In addition, Pomerium also prompt to select client cerificate twice when user accessed any other route if
tls_downstream_client_ca
was set at specific route in config.What did you expect to happen?
Pomerium should prompt user for client cerificate only once, and Pomerium should not prompt the second item that is meaningless in using mTLS scenarios.
How'd it happen?
client-ca
ortls_downstream_client_ca
in Pomerium configWhat's your environment like?
Pomerium Version: pomerium: 0.22.2-1685134689+6efd1d6b
envoy: 1.25.5+b1095c058415dfb2261e695a0f144311a7dc346b6eb47ecbb0a01b7de2c7299f
OS: ubuntu 20.04
What's your config.yaml?
What did you see in the logs?
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: