To allow easy integration with alternative authentication mechanisms, it should be possible to configure a trusted URL where it is assumed that if the user can reach the URL, they are trusted. This could be used with a proxy configured to require Mutual TLS for the configured path, for example.
const config = {
trustedEndpoint: {
path: 'my-trusted-path',
userIdHeader: 'X-Ssl-Cert-Hash',
},
};Which could be combined with an nginx config:
ssl_verify_client on;
ssl_client_certificate /path/to/cert.crt;
ssl_verify_client optional;
location /ssoprefix/my-trusted-path {
if ($ssl_client_verify != "SUCCESS") { return 403; }
proxy_set_header X-Ssl-Cert-Hash $ssl_client_fingerprint;
}
It may be desirable to have other options than userIdHeader, such as userId for a fixed user ID for anybody able to reach the endpoint.
Things to consider:
- Care must be taken by the user to ensure the endpoint is fully protected. Might be worth allowing a configurable header-based password which can be set in the proxy as a bit of extra protection against accidental misconfigurations (wouldn't provide much protection though)
- Should it be possible to configure multiple trusted endpoints? What would that look like?
- How should this interact with the existing client-exposed
authUrl property?
To allow easy integration with alternative authentication mechanisms, it should be possible to configure a trusted URL where it is assumed that if the user can reach the URL, they are trusted. This could be used with a proxy configured to require Mutual TLS for the configured path, for example.
Which could be combined with an nginx config:
It may be desirable to have other options than
userIdHeader, such asuserIdfor a fixed user ID for anybody able to reach the endpoint.Things to consider:
authUrlproperty?