tokio-rs/axum

Add peer certificates to ConnectInfo when TLS is used for the channel

Closed this issue · 1 comments

clauverjat commented
  • I have looked for existing issues (including closed) about this

Feature Request

Motivation

When using TLS, the client can present certificates to authenticate to the server. Adding peer certificates to the ConnectInfo struct when TLS is used for the channel would enable the application to use the client identity (as described in the certificate) for authorization purposes. This could be used instead of cookies or API keys. Accessing the client certificate is natural for applications that are already using mTLS (using additional authentication methods for the client would be redundant). mTLS support in Axum has already been the subject of GH issues programatik29/axum-server#82 and #677
But the provided mTLS example in https://github.com/ttys3/rust-mtls-axum-example/blob/45d07d3545a1affeeaf854dc6c4d1d7b3417c5fd/src/main.rs#L111 is about accepting or rejecting a peer depending on whether the presented certificate was issued by the expected CA. It is implemented using Rustls::ServerConfig. The example does not provide a way to get the TLS peer certificate from the application. I looked into it a bit deeper (though I am not familiar with the Axum codebase) and I think that supporting such feature would require change in axum and/or axum-server.

Proposal

If possible I think a good place to add the peer certificate (actually the certificate chain presented by the client) would be in the ConnectInfo. That way it could be used by the application middlewares (created using into_make_service_with_connect_info).

As a possible inspiration/alternative, one can look into how this can be implemented in actix-web. Here is the actix-web example code : https://github.com/actix/examples/blob/master/https-tls/rustls-client-cert/src/main.rs, and the relevant GH issue actix/actix-web#946
actix-web added an on_connect method that gets called just after a connection is established but before the connection is used. This method can then be used by the user to extract the certificate (and any relevant information about the TLS connection) and put it into an actix-web extension (whose role is to contain data specific to the given request).

Thanks

jplatte commented

axum doesn't handle TLS now and will likely never do that. I think this is something axum-server could do though.