/passport-client-cert

Passport.js strategy for PKI client certificate authentication

Primary LanguageJavaScriptMIT LicenseMIT

passport-client-cert

Build

passport.js strategy for TLS client certificate authentication and authorisation.

passport-client-cert is for TLS connections direct to a Node.js application.

Usage

The strategy constructor requires a verify callback, which will be executed on each authenticated request. It is responsible for checking the validity of the certificate and user authorisation.

Options

  • passReqToCallback - optional. Causes the request object to be supplied to the verify callback as the first parameter.

The verify callback is passed with the client certificate object and a done callback. The done callback must be called as per the passport.js documentation.

var passport = require('passport');
var ClientCertStrategy = require('passport-client-cert').Strategy;

passport.use(new ClientCertStrategy(function(clientCert, done) {
  var cn = clientCert.subject.cn,
      user = null;
      
  // The CN will typically be checked against a database
  if(cn === 'test-cn') {
    user = { name: 'Test User' }
  }
  
  done(null, user);
}));

The verify callback can be supplied with the request object by setting the passReqToCallback option to true, and changing callback arguments accordingly.

passport.use(new ClientCertStrategy({ passReqToCallback: true }, function(req, clientCert, done) {
  var cn = clientCert.subject.cn,
      user = null;
      
  // The CN will typically be checked against a database
  if(cn === 'test-cn') {
    user = { name: 'Test User' }
  }
  
  done(null, user);
}));

Examples

Install and start the example server app:

$ npm install
$ cd example
$ node example-server.js

Submit a request with a client certificate:

$ curl -k --cert certs/joe.crt --key certs/joe.key --cacert certs/ca.crt https://localhost:3443

If curl fails and you are using OSX Mavericks or newer (where support for ad-hoc CA certifcates is broken, try wget instead:

$ wget -qSO - --no-check-certificate --certificate=certs/joe.crt --private-key=certs/joe.key --ca-certificate=certs/ca.crt https://localhost:3443/

Requests submitted with joe.crt are authorised because joe is in the list of valid users. Requests submitted without a certificate, or with bob.crt will fail with a HTTP 401.

Test

$ npm install
$ npm test

Licence

The MIT Licence