EEParker
commented
7 years ago You might consider adding OAuth2 to the APIKey section. This could add flexibility if you already have a trusted OAuth provider, or if you implement a in-product OAuth service such as IdentityServer4.
The following authentication methods are supported. Note, authentication (a.k.a "Trust") must be established for both the client/server. So the client/server may desire different levels of authentication. Again comments are desired.
None: No Authentication will occur. Connection is automatically mutually trusted based on something else like and IP address.
Trusted Private Key: The private key is trusted, not the contents of the certificate. This can be used to trust self-signed certificates since the identifying information of a self-signed certificate is meaningless.
Trusted Root Certificate + CNAME: If the certification is signed by a trusted root and has a valid CNAME, this establishes a trusted connection.
NTLM: Uses NTLM to trust the credentials.
Kerberos: Uses Kerberos to trust the connection.
LDAP: Uses LDAP for authentication.
APIKey: Uses a user generated API Key that is the same for both client/server. Some kind of Challenge/Response method will be employed here. It will also incorporate the public keys of all x.509 certificates to ensure that there is not a man-in-the-middle attack. Currently, I'm thinking using SCRAM, since it's relatively simple. SRP would be superior, but it's rather difficult to implement and isn't native to .NET.