Open oliviermartin opened 2 months ago
@swift-ci test
Pass the URLCredential through URLSessionConfiguration
I think it'd be better to set this on the task instead of the session configuration. Generally the client would use the same session + configuration for every request they make, but might not necessarily want to enable client certificate authentication on all of them.
Thanks @jrflat and @travarin for the feedback! I have just updated the PR with your suggestions.
Reading URLSession
made me understand a bit better the philosophy behind this design (URLSession
vs URLSessionTask
). My understanding came initially from the examples of client certificate authentication I found on Internet that often implement URLSessionDelegate
instead of URLSessionTaskDelegate
for their client certificate authentication - and probably create one URLSession
per URL.
Just on few points you mentioned in your comments:
URLSession(Task)Delegate
into libcurl code whether we wanted to follow the same approach as Darwin system (ie: using func urlSession(URLSession, task: URLSessionTask, didReceive: URLAuthenticationChallenge, completionHandler: (URLSession.AuthChallengeDisposition, URLCredential?) -> Void)
for client authentication).URLSessionTaskDelegate
(and URLSessionDelegate()
) to pass URLCredential to URLSession backend before any connection - something like: func urlSession(URLSession, task: URLSessionTask, getCredential: (URLCredential) -> Void)
I guess the next step is for me to create a proposal in swift-evolution?
Swift Foundation Networking does not currently support client certificate authentication which is quite a limitation when integrating with a more complex system. For MacOS/iOS based platform, the client certificate authentication is done through URLSessionDelegate that handles authentication challenges.
Swift Foundation Networking relies on
libcurl
forURLSession
. This support does not go throughURLSessionDelegate
for authentication challenge. The approach used by this pull-request is:URLCredential
to also pass client private key and certificateURLCredential
throughURLSessionConfiguration
. Note: on MacOS/iOS this approach could also be used as theURLSessionDelegate
is often a copy/paste to passURLCredential
back toURLSession
.There is no unittest for this new code as it would require Swift to support server with TLS client certificate authentication support. The code can be locally tested with
openssl s_server
.Here is an example code to use this API:
Limitations of this support:
URLSessionDelegate
. But for using the same approach, we would either need to forklibcurl
inswift-corelibs-foundation
to handle the authentication challenge in Swift or we would need to a different library "backend" to handleURLSession