Feature request: Optional mTLS

[finnbear]

I have an HTTPS server (:wink:) that accepts two forms of traffic, unauthenticated and authenticated, and would like to use AllowAnyAnonymousOrAuthenticatedClient or similar to support both. However, I don't see a way to tell if client authentication was successful at all and/or call peer_certificates.

I looked into into_make_service_with_connect_info but that accesses an &AddrStream before the TLS handshake.

Any thoughts on how mTLS could be made optional while letting the tower service know the client authentication status?

From the network perspective, I'd like:

• No client auth => ok (anonymous)
• Invalid client auth => block connection (or treat as anonymous)
• Valid client auth => ok (authenticated)

On the Axum side, I'd like the following:

Router::new()
    .route("/idea1", axum::routing::get(move |
        ConnectInfo(addr): ConnectInfo<SocketAddr>,
        AcceptInfo(certs): AcceptInfo<Option<Vec<Certificate>>> // i.e. from peer_certificates
    | { if let Some(certs) && check_certs(certs) { } else { ... } })
    .route("/idea2", axum::routing::get(move |
        ConnectInfo(addr): ConnectInfo<SocketAddr>,
        AcceptInfo(auth): AcceptInfo<ClientAuthentication> // enum ClientAuthentication { Authenticated, Anonymous }
    | { if auth.is_authenticated() { ... } else { ... } })

*the name AcceptInfo is just bikeshedding

Edit: I no longer need this. Feel free to close it as not planned if you don't find it useful.

[programatik29]

This should already be possible by implementing a custom acceptor using Accept trait.