How to authenticate requests with SSL client certificates

[pawamoy]

First check

• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.

Description

How can I authenticate requests using SSL client certificates?

The only resource I found that could be helpful is https://www.osso.nl/blog/checking-client-ssl-certificate-from-python/, that shows some Python code to authenticate requests against their provided certificate. It uses NginX, which passes the certificate in a HTTP_X_CLIENT_CERT header if I understand correctly.

How would it work with FastAPI / uvicorn (without NginX)?

Does anyone have experience or working code on that matter? Does anyone have ideas or hints on how to implement such authentication method in FastAPI?

[pawamoy]

I read more about SSL certificates (both server and client) and think I understand how to do it.

I will not use NginX at all, but rather Gunicorn (with Uvicorn workers, but whatever). Gunicorn will receive server and client certificates, along with the certificates authority to encrypt to HTTPS but also authenticate clients. I'll also use the VerifyMode.CERT_OPTIONAL mode (1 for Gunicorn: https://docs.gunicorn.org/en/stable/settings.html#cert-reqs), allowing clients to still send requests without a certificate so I can send back an error message or authenticate them with other methods (with a cookie for example).

I just need to make sure that Gunicorn will verify that the client certificate was signed with the CA, and not just verify its validity (expiry date, etc.). If not, I'll have to use code similar to what's in the blog post I mentioned to verify this in the API code myself 😕

I will report back later once I tried all this!

[pawamoy]

In the end I'll completely drop the client certificates, as they will cause more problems than they solve in the architecture we have. Instead, we'll use something like API keys or similar.

If you want to read about SSL anyway, here are the resources that helped me understand how it works:

• https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326
• https://www.osso.nl/blog/checking-client-ssl-certificate-from-python/
• https://tech-habit.info/posts/https-cert-based-auth-with-flask-and-gunicorn/
• https://docs.gunicorn.org/en/stable/settings.html#ssl
• https://docs.python.org/3/library/ssl.html?highlight=verifymode#ssl.CERT_OPTIONAL

Closing as my previous comment contains a partial, if not full, solution to the issue.

[tiangolo]

Thanks for reporting back and closing the issue 👍