webkit2: x509 client certificate

[svfrd]

Hello all,

for SAML authentication we need to send the client certificate to the keycloak instance. This is not implemented in the class "SAMLLoginView" yet. I could not find a way to implement this so far either.

https://lazka.github.io/pgi-docs/WebKit2-4.0/mapping.html

Any ideas would be appreciated.

webkit browser error: {"error_description":"X509 client certificate is missing.","error":"invalid_request"}

[dlenski]

According to https://lazka.github.io/pgi-docs/WebKit2-4.0/index.html, those docs are for WebKit2 4.0 (2.32.3).

Maybe they need to be updated? These docs say that there are client-cert-related methods since 2.34… https://webkitgtk.org/reference/webkit2gtk/stable/WebKitAuthenticationRequest.html#webkit-credential-new-for-certificate

Do these work with Python GI?

[svfrd]

hey dan,

I have tried various things over the last few days, but I just can't get any further.

for testing i have set up a test site and created a very simple client.. https://github.com/svfrd/py3-gtk-webkit2-x509-auth

• WebKit2.WebView::signal('authenticate') triggers only http basic auth. So no WebKit2.AuthenticationRequest object.

• Gio.TlsCertificate.new_from_files() seems interesting but I have no idea how to use it.

• WebKit2.Credential.new_for_certificate() and WebKit2.WebContext.allow_tls_certificate_for_host() the functions are not considered. is the correct context missing?

[dlenski]

I have tried various things over the last few days, but I just can't get any further.

Looks like you're very much on the right track, and this is a very good way to demonstrate any issues with the Python bindings. :+1: :+1:

WebKit2.Credential.new_for_certificate() and WebKit2.WebContext.allow_tls_certificate_for_host() the functions are not considered. is the correct context missing?

I did some more superficial testing of these and ran into similar issues.

I have a hunch that the Python bindings haven't been updated to match the C API, but unfortunately don't know who to contact/bother/annoy/cajole to try to get them updated. I don't even understand the version numbering scheme fully. :man_shrugging:

Possibly https://github.com/GNOME/pygobject is the right place to start? Perhaps @lazka could provide some pointers, since he maintains the (excellent!) documentation for the Python GI API bindings, so he must know something about they're inner working. :sweat_smile:

I am going to have very little time to work on this for the foreseeable future, but will happily accept whatever diagnosis or documentation or PRs you can come up with here. :pray: