ripjar / passport-client-cert Goto Github PK
View Code? Open in Web Editor NEWPassport.js strategy for PKI client certificate authentication
License: MIT License
Passport.js strategy for PKI client certificate authentication
License: MIT License
Interesting project!
It would be helpful if you could publish it to the npm repository so that it can be easily installed.
It is common for various reasons to put a web server in front of your node implementation, it seems upon cursory review this presumes node is terminating the connection, you can make this work behind a load balancer by setting some combination of these headers (presuming Nginx) and validating against that:
1: cert hash
# proxy_set_header X-SSL-Client-hash $ssl_client_fingerprint;
1: cert in pem
# proxy_set_header X-SSL-Client-hash $ssl_client_raw_cert;
3: issuer dn and subject serial
# proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
# proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
4: - issuer and subject dns
# proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn;
# proxy_set_header X-SSL-Client-S-DN $ssl_client_i_dn;
This would scale better than the current approach, you can set session caching very low for the associated vhost, get the server certificate with one of the lets encrypt clients easily and in general it should be able to work smoothly.
Oh, and you also want to be sure to check the value of : $ssl_client_verify
CNs themselves are not guaranteed to be unique, you can only uniquely identify a certificte with one of these options:
Not all certificates will have subjects (it is standards compliant to have a nul subject), for this reason the only secure and reliable way to do cert to user mapping is 3, 4, 5
This is important for a few reasons, one of the most significant being many CCA deployments will trust more than one CA (on purpose or by accident) for this reason two CAs can issue the same certificate and you would treat them the same.
One shortcoming of Nginx is that it requires that the server use the same list of CAs for CCA as it uses for other parts of operations. This means when using Nginx you typically need to either "open yourself up" to unnecessary trust anchors or disable verification of CCA certificates in Nginx (I think this isnt a problem in Apache but its been a while since I have looked, I am not sure about Node).
For this reason I would recommend designing this so it doesn't rely on the server logic for validation of the cert and instead do your own validation using $ssl_client_raw_cert and https://pkijs.org/examples/X509_cert_complex_example.html
Good Afternoon, I have been trying to implement this capability but i am having some trouble.
The routes are located in /routes/users.js
The passport.use(new ClientCertStrategy..... is located in auth/authroization.js
I am attempting to invoke the Client-cert strategy on the user.js line:
router.use('/user', auth.authenticate('client-cert'), function(req, res, next) {
console.log('authenticated');
next();
});
But all I get is a 401 error.
In the Authorization.js i have simplified it to return a user but still nothing:
passport.use(new ClientCertStrategy(function(clientCert, done)
{
var user = "test";
done(null, user);
}
));
module.exports = passport;
anysuggestions?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.