search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.32k stars 69 forks source link

question: x509 authentication #30

Open ainesophaur opened 2 years ago

ainesophaur commented 2 years ago

First, but unrelated to the topic, thank you for all of your amazing projects. I recently came across the thread which inspired you to write caddy-git, and your candor and contributions to the community are such a breath of fresh air.

Back on topic :)

I came across the x509 authp document which has a TODO. Which I wasn't sure if it was a TODO to write the documentation or the implementation and documentation.

I checked into the go-authcrunch (btw, I love the split from the original auth-portal..I love the fact that it could be included with my Gin projects :heart_on_fire:) and I couldn't find any implementations for x509 auth.

I'm in the planning phase for a project, for which x509 auth with caddy-security would be a wonderful fit.

I was curious if the ldap backend would be a good place for me to to start with writing a x509 implementation. I would love to contribute any work back (if we go this route), but I wanted to see if you had any previous requirements, hurdles or issues with an x509 backend that I could keep into consideration when contributing back.

greenpau commented 2 years ago

First, but unrelated to the topic, thank you for all of your amazing projects. I recently came across the thread which inspired you to write caddy-git, and your candor and contributions to the community are such a breath of fresh air.

@ainesophaur , thank you for the kind words 👍 please consider https://github.com/greenpau/caddy-security/issues/14#issue-1111599735

I came across the x509 authp document which has a TODO. Which I wasn't sure if it was a TODO to write the documentation or the implementation and documentation.

There are two types of possible x509 implementation.

  1. Session-based (TLS) at the connection level
  2. App-based at the HTTP app level.

The one I had in mind for Caddy is the "app-based". A user goes to portal, inputs username/email, gets dropped to "sandbox", and presented with a challenge. The sandbox triggers client side javascript and user performs actions that utilize local certificate store. So ... I started experimenting with the Javascript, but did not get to complete.

The "session-based" implementation was not in the books, because caddy and code were packages as one. Now, when it is separate, this could be done (and then used with non-Caddy frameworks). Note: I think Caddy already has x509 auth implementation.