search

wintercg / fetch

WinterCG changes to the WHATWG Fetch standard
Other
25 stars 0 forks source link

Mutual TLS (mTLS) #3

Open panva opened 2 years ago

panva commented 2 years ago

Proposal

I would like to propose that the CG pursue standardization of Mutual TLS authentication in the fetch API.

This is a feature that is not likely to be implemented by browser runtimes but is in my opinion missing in non-browser runtimes where fetch is the only interoperable HTTP client.

The use-case I have in mind is implementation of OAuth mTLS Client Authentication and Client Certificate-Bound Access Tokens.

Prior Art

Node.js - https module has the option to provide the cert, key, crl, passphrase, pfx, and ca options.

Deno - using deno --unstable there's Deno.createHttpClient, the result of which can be passed as a client property to fetch's init argument. This method accepts certChain, privateKey, and caCerts options.

lucacasonato commented 2 years ago

I think this extends past just mTLS, to also custom ca certs, and disabling HTTPS verification altogether.