2

I'm attempting to require both x509 certificate authentication as well as OIDC authentication simultaneously. Spring has a nice way to offer both, but not to require both. httpSecurity.x509().and().openIdLogin() is essentially .or().

I can't find anything in Spring Security docs closely related, and I was really hoping to not have to write my own authentication mechanism.

bvulaj
  • 5,023
  • 5
  • 31
  • 45
  • Why do you need both with the request? Is one way not enough? – dur Jan 22 '18 at 18:01
  • @dur - We'd like to require the certificate for mutual TLS, in order to authenticate the origin server making the request, as well as an oidc token on behalf of the user making the request. – bvulaj Jan 22 '18 at 18:16
  • For TLS you don't need Spring Security you could configure it in your server, for example see https://stackoverflow.com/questions/33808603/implementing-2-way-ssl-using-spring-boot. – dur Jan 22 '18 at 20:02
  • @dur so, if I configure my embedded container via `server.ssl.client-auth=need`, and then in my spring sec configuration, secure it with `openIdLogin` or whichever, can I still access the certificate credentials during the login flow? Does that effectively make _both_ required? – bvulaj Jan 22 '18 at 20:27
  • It makes both required, but you can't access the certificate credentials. Why you need the certificate credentials? Are the openId credentials not enough? – dur Jan 23 '18 at 10:12
  • @dur I'd like to be able to whitelist / blacklist certain certificates, effectively allowing or disallowing certain machines to access our service. For example, if a client machine is compromised, I'd like to be able to disallow access completely from said machine. Thanks for the help so far. – bvulaj Jan 23 '18 at 14:27
  • You can do that in your server, for example with Tomcat property `crlFile` - *The certificate revocation list to be used to verify client certificates.* – dur Jan 23 '18 at 14:31
  • @dur Thanks - that puts my a little more on the right path. I'm using embedded tomcat - do you know if there's a way to configure the CRL? The only reference I've found so far is https://github.com/spring-projects/spring-boot/issues/6171 – bvulaj Jan 23 '18 at 15:15

0 Answers0