Open de-jcup opened 3 years ago
Another main concern is how to rotate client certificates. A rotation of the client certificate is necessary once the client certificate reaches the end of it's validity or a client certificate was compromised and needs to be changed. Regardless, of the reason for why the client certificate needs to be changed, changing the client certificate will cause downtime.
One solution would be to allow more then one client certificate to be active at the same time. This would make a zero downtime client certification possible.
The problem with having multiple certificates active at any given point in time is, that people might forget which certificate is active. To solve this issue, one should introduce a limitation where only two or three certificates can be active at any given point in time.
Situation
At the moment we only check for an API token to give user access. Reason is to make it simple and easy for integrations.
Wanted
We want to provide client certficates for a 2FA API communication
Solution
To make things easier at the moment we will introduce a new environment variable to enable/disable client certficate checks for API communication. So we do not need any global configuration caching etc. - so API communiation is not slowed down.
Usecases:
More things to think about
Technical details for checks: