Client Certificate is not being picked up for authorization requests

[eporsche]

Hi, what could be the reason httpyac is not picking up client certificates? I tried it with .httpyac.json in the root of the project and direclty setting the "(X-)ClientCert:" Header. It works with Postman though.

Could it be that the certificates are not being used during the openid requests?

[AnWeber]

No, Client certs are not send on openid authorization request. You define them to be used for the actual request. To use the certs, you have to add them on your own with interceptRequest. Is this a pattern which is used more often? I never seen client certs in an oauth2 call.

[eporsche]

Not sure if its common pattern to be honest - I can only tell that it is being used in my case. Will have a look at the interceptRequest - thx!

[AnWeber]

I want to let this issue open. Small reminder for me to check how to implement Client certs requests in oauth2 flow

[eporsche]

putting this into the beginning of the http file works for me (when the client cert files are configured as per documentation):

{{
  exports.oauth2_interceptRequest = function(request, context) {
    const clientCertificateOptions = context.config?.clientCertificates["your-domain"];
    const fs = require('fs');
    // Reading certificate and key files synchronously
    const certificate = fs.readFileSync(clientCertificateOptions.cert, 'utf8');
    const key = fs.readFileSync(clientCertificateOptions.key, 'utf8');
    if (!request.options) {
        request.options = {};
    }
    request.options.https = Object.assign({}, request.options.https, {
        certificate: certificate,
        key: key,
    });
  }
}}

[AnWeber]

@eporsche You were faster. I would have implemented the same solution, except that I use the existing methods and therefore have less code. I would add mine anyway, as it makes sense to support it out of the box. And I'm impressed that you put the solution together so quickly.