I’m considering using FastAPI framework for implementing rather simple API, but it needs to support mTLS. AFAIK FastAPI is based on Starlette. Is it possible to check client certificate in Starlette?
Asked
Active
Viewed 3,209 times
3
-
2Everything is possible, but wouldn't it be easier to handle SSL on a webserver (nginx, apache etc) and forward the meta headers to your upstream application? – Hedde van der Heide Jan 08 '20 at 08:45
-
@HeddevanderHeide Probably it would be, but in my case, client identification shall be done base on the certificate and the certificates to be registered through the same API, so nginx-base setup could be quite complex. Currently considering different options. Actually I came across with this https://www.ajg.id.au/2018/01/01/mutual-tls-with-python-flask-and-werkzeug/ WSGI-based solution and thought similar could be done with ASGI/Starlette. Unfortunatelly my experience in the topic is not enough, so I was looking for some hints from people familiar with the topic. – Fedor Jan 08 '20 at 09:12
-
I wish @tomchristie could help with this – Fedor Jan 10 '20 at 20:29
-
Would you be so kind as so give an example of how this was accomplished or point me somewhere? I'm struggling to find useful documentation on this. Thanks. – JimmyJames Apr 08 '20 at 16:52
1 Answers
3
No, according to Starlette documentation, you may use a HTTPSRedirectMiddleware to force use of https, but no certificate verification is natively implemented in Starlette.
You may re-implement a cert verification yourself but it will be very dirty ... in my opinion the best is to hanlde the certicate verification directly on the webserver or the middleware.
You may use uwsgi to treat client certificate authentification or (re-)implement your api using Flask + Gunicorn which will allow you to do client certificate verification. (e.g here)
A. STEFANI
- 6,707
- 1
- 23
- 48
-
3Thanks for the answer. We ended up checking client certificates with Gunicorn (API itself is being implemented with FastAPI and running with uvicorn). – Fedor Jan 24 '20 at 08:28