You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 22, 2023. It is now read-only.
The ClientAuthFactory for Keywhiz clients allows clients to be identified based on
the SecurityContext of the connection to Keywhiz
a certificate forwarded in the "x-forwarded-client-cert" header (used by the commonly-used Envoy proxy)
a client SPIFFE ID in the header identified by the "callerSpiffeIdHeader" in Keywhiz' configuration
The factory currently requires the "x-forwarded-client-cert" header to be set even if the "callerSpiffeIdHeader" is also set. However, if the "callerSpiffeIdHeader" is set, then the "x-forwarded-client-cert" header should not be used to identify the client (since some proxy configurations set both headers but use only the "callerSpiffeIdHeader" to identify the client).
The factory should probably be updated to not require the "x-forwarded-client-cert" header if the "callerSpiffeIdHeader" is set. This will require refactoring some of the existing logic, which ensures that the entity setting an "x-forwarded-client-cert" header is allowed to do so, to separately check whether the entity is allowed to set the "callerSpiffeIdHeader." (Currently, the factory relies on the "x-forwarded-client-cert" check to check whether the entity is allowed to set the "callerSpiffeIdHeader" as well.)
The ClientAuthFactory for Keywhiz clients allows clients to be identified based on
The factory currently requires the "x-forwarded-client-cert" header to be set even if the "callerSpiffeIdHeader" is also set. However, if the "callerSpiffeIdHeader" is set, then the "x-forwarded-client-cert" header should not be used to identify the client (since some proxy configurations set both headers but use only the "callerSpiffeIdHeader" to identify the client).
The factory should probably be updated to not require the "x-forwarded-client-cert" header if the "callerSpiffeIdHeader" is set. This will require refactoring some of the existing logic, which ensures that the entity setting an "x-forwarded-client-cert" header is allowed to do so, to separately check whether the entity is allowed to set the "callerSpiffeIdHeader." (Currently, the factory relies on the "x-forwarded-client-cert" check to check whether the entity is allowed to set the "callerSpiffeIdHeader" as well.)