Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add peer certificates to ConnectInfo when TLS is used for the channel #2697

Closed
1 task done
clauverjat opened this issue Apr 3, 2024 · 1 comment
Closed
1 task done

Add peer certificates to ConnectInfo when TLS is used for the channel #2697

clauverjat opened this issue Apr 3, 2024 · 1 comment

Comments

@clauverjat
Copy link

clauverjat commented Apr 3, 2024
edited
Loading

  • I have looked for existing issues (including closed) about this

Feature Request

Motivation

When using TLS, the client can present certificates to authenticate to the server. Adding peer certificates to the ConnectInfo struct when TLS is used for the channel would enable the application to use the client identity (as described in the certificate) for authorization purposes. This could be used instead of cookies or API keys. Accessing the client certificate is natural for applications that are already using mTLS (using additional authentication methods for the client would be redundant). mTLS support in Axum has already been the subject of GH issues programatik29/axum-server#82 and #677
But the provided mTLS example in https://github.com/ttys3/rust-mtls-axum-example/blob/45d07d3545a1affeeaf854dc6c4d1d7b3417c5fd/src/main.rs#L111 is about accepting or rejecting a peer depending on whether the presented certificate was issued by the expected CA. It is implemented using Rustls::ServerConfig. The example does not provide a way to get the TLS peer certificate from the application. I looked into it a bit deeper (though I am not familiar with the Axum codebase) and I think that supporting such feature would require change in axum and/or axum-server.

Proposal

If possible I think a good place to add the peer certificate (actually the certificate chain presented by the client) would be in the ConnectInfo. That way it could be used by the application middlewares (created using into_make_service_with_connect_info).

As a possible inspiration/alternative, one can look into how this can be implemented in actix-web. Here is the actix-web example code : https://github.com/actix/examples/blob/master/https-tls/rustls-client-cert/src/main.rs, and the relevant GH issue actix/actix-web#946
actix-web added an on_connect method that gets called just after a connection is established but before the connection is used. This method can then be used by the user to extract the certificate (and any relevant information about the TLS connection) and put it into an actix-web extension (whose role is to contain data specific to the given request).

Thanks
@jplatte
Copy link
Member

jplatte commented Apr 3, 2024

axum doesn't handle TLS now and will likely never do that. I think this is something axum-server could do though.

@jplatte jplatte closed this as not planned Won't fix, can't repro, duplicate, stale Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jplatte @clauverjat