-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IdentityServer4 integration (C#) mTLS #20
Comments
I don't know anything about IdentityServer4, and I don't really understand all the scope of what you're trying to do, but let me try to answer some of your questions. First
Autocert can create in a k8s pod client/server certificates and renew them using the JWT token.
It those users are persons, I don't think they will be using
Autocert takes care of the renewal of the certificates inside pods, but when you renew a certificate it always changes, the thumbprint will change, but it will still be using the same key, and names. People certificates can be renewed using
The OAuth2.0/OIDC flow for users requires a client id + client secret, these values are unique and configured once. But if you're using OAuth2.0 to authenticate "machines" using a client id+secret this flow is not supported by By default, all certificates generated by Now let's continue with the but ... When a pod with an autocert annotation is scheduled, autocert automatically injects a bootstrapper init container that generates the initial certificate using the JWT token generated by autocert. That container basically runs this script https://github.com/smallstep/autocert/blob/master/bootstrapper/bootstrapper.sh And with some work, you should be able to adapt it to generate the certificate using a different way, but an OIDC flow for users would be hard, but if IdentityServer4 provides a different way for "machines" it can be achieved. The other component that autocert injects is a sidecar container that just takes care of the renewal it just runs this command https://github.com/smallstep/autocert/blob/master/renewer/Dockerfile#L8 I hope I've answered some of your questions. |
Hey @joaoantunes let us know if you're still experiencing issues or have more questions. Otherwise, we'll mark the issue closed for the time being. |
I'm using IdentityServer4 (C#): is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core.
I will host IdentityServer4 using Kubernetes + SQL Database for storing client information. In order to validate the client and issuing the JWT tokens, we need to register the client information on the Database. This requires to store the ClientId and Client Secret (thumbprint of the Certificate or Certificate Name)
Why is needed
IdentityServer4 is a centralized generic way of securing API communication providing multiple protocols but has no features of issuing certificates, and mTLS requires this.
What is needed
Is possible to do the above topics using Autocert? I've been reading about, Autocert, step-certificates, and Cert-manager.
I think the above solutions are possible to achieve with step-certificates right? But step-certificates won't auto-renewal the certificates and won't deliver them to the Kubernetes containers right? How can I achieve this, does Autocert helps on this, I don't think I can use Autocert since I require to register the certificate name/thumbprint on IdentityServer4 Database, is it possible to do it, How?
The text was updated successfully, but these errors were encountered: