We decided to involve the OpenID Connect authentication in our project. The identity provider server uses x509 certificates confirmation as an authentication method. So, should we make an additional programming logic (for example on the NodeJS side) to verify user's certs, or is this an identity provider's and browser's responsibility? Is it enough to make a correct OpenID Connect configuration (client_id, client_secret, issuer etc.) and not to make am accents on the different auth strategies?
Add a comment
|
1 Answer
x509 certificates are not usually used to authenticate users due to the infrastructure overhead that would require. If they ever were (e.g. by the user needing to have a certificate installed in the browser) it would be managed as a custom authentication endpoint that requires mTLS.
x509 certificates are sometimes used to authenticate clients at the token endpoint. For example, in B2B or mobile device management use cases you can use mTLS token endpoints.
After authentication, APIs typically only verify the access token and implement authorization. They do not deal with authentication concerns.
In some mTLS use cases, API requests are made using mTLS channels according to RFC 8705, in which case an API gateway typically implements certificate validation.
