/app should only accept client certificates that are already saved in the database.
/register should be used to submit new certificates. After registration, display a "success" page and allow the user to click a link to the /app page so they can login using their new certificate and set the certificate scope to /app
The motivation is that I would like to do more with registration in the future (aggressive rate limiting, prevent duplicate CNs, etc.) and it is currently difficult without a separate endpoint to control user flow.
I would also like to eventually support associating new certificates with old accounts, and the current behavior of automatically creating a new account is limiting.
Proposal:
/appshould only accept client certificates that are already saved in the database./registershould be used to submit new certificates. After registration, display a "success" page and allow the user to click a link to the/apppage so they can login using their new certificate and set the certificate scope to/appThe motivation is that I would like to do more with registration in the future (aggressive rate limiting, prevent duplicate CNs, etc.) and it is currently difficult without a separate endpoint to control user flow.
I would also like to eventually support associating new certificates with old accounts, and the current behavior of automatically creating a new account is limiting.