`tls_client_auth` authentication mode

Question

`tls_client_auth` authentication mode

Closed this issue a year ago · 5 comments

Description

Defined in RFC 8705
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens, this is optional for the FAPI 2.0 Message Signing profile.

See #317 and #264.

Answer 1 · 2024-01-07T13:51:04.000Z

~~previous text on MTLS~~

I think this is going to be a bit more complicated. I ran an initial test against the FAPI 2.0 Security Profile conformance tests, and ran into this failure:

Client certificate not found; the client did not supply a MTLS certification to the endpoint. In some cases this may be because the client is, incorrectly, configured to supply a TLS certificate only if the server explicitly requires a certificate at the TLS level.

OTP (at least OTP 26.1.2 and 26.2.1) is not sending a client certificate unless the server requests one with a CertificateRequest message. It's possible there's some SSL configuration which will force sending the Certificate message from the client even if it's not requested. If not, supporting this (at least for the conformance suite) will require a patch upstream.

The underlying issue isn't that Erlang/OTP doesn't send the client certificate. It's that httpc by default maintains a connection to the server, and doesn't appear to create a new connection if the ssl options change. Since we already make a request to the host (to get the Provider Configuration and JWKs), there's an open connection which didn't use the client certificate.

One option looks to be starting a new profile which doesn't use keep alives, and defaulting to for requests which include client certificates. I'm sure there are others, though!

Answer 2 · 2024-01-07T18:29:34.000Z

@paulswartz Is there a reason why we wouldn’t set the client cert on everything? (Including the Configuration and JWKs)

Answer 3 · 2024-01-07T18:42:26.000Z

That's a good point; I didn't realize that request_opts is also a parameter for oidcc_provider_configuration:load_configuration. I'll give that a shot.

Answer 4 · 2024-01-07T22:40:47.000Z

This kind of works. If you don't load anything from the relevant host, everything passes.

But, if you have multiple issuers at the same hostname (as we do with the conformance suite), then accessing any provider on that host before the mTLS one causes the issue again.

Answer 5 · 2024-01-07T22:50:18.000Z

@paulswartz Yeah, that’s not great. I’m wondering if it is a bug that httpc is reusing connections with different configurations.

In that case we’ll probably have to start net inets profiles for different tls settings or consider a different http client.