Replies: 3 comments
-
I read more about SSL certificates (both server and client) and think I understand how to do it. I will not use NginX at all, but rather Gunicorn (with Uvicorn workers, but whatever). Gunicorn will receive server and client certificates, along with the certificates authority to encrypt to HTTPS but also authenticate clients. I'll also use the I just need to make sure that Gunicorn will verify that the client certificate was signed with the CA, and not just verify its validity (expiry date, etc.). If not, I'll have to use code similar to what's in the blog post I mentioned to verify this in the API code myself 😕 I will report back later once I tried all this! |
Beta Was this translation helpful? Give feedback.
-
In the end I'll completely drop the client certificates, as they will cause more problems than they solve in the architecture we have. Instead, we'll use something like API keys or similar. If you want to read about SSL anyway, here are the resources that helped me understand how it works:
Closing as my previous comment contains a partial, if not full, solution to the issue. |
Beta Was this translation helpful? Give feedback.
-
Thanks for reporting back and closing the issue 👍 |
Beta Was this translation helpful? Give feedback.
-
First check
Description
How can I authenticate requests using SSL client certificates?
The only resource I found that could be helpful is https://www.osso.nl/blog/checking-client-ssl-certificate-from-python/, that shows some Python code to authenticate requests against their provided certificate. It uses NginX, which passes the certificate in a
HTTP_X_CLIENT_CERT
header if I understand correctly.How would it work with FastAPI / uvicorn (without NginX)?
Does anyone have experience or working code on that matter? Does anyone have ideas or hints on how to implement such authentication method in FastAPI?
Beta Was this translation helpful? Give feedback.
All reactions