Mariusz Pala
Mariusz Pala

Reputation: 1071

User authentication with no password but certificate instead?

in my application there is existing authentication mechanism which accepts username and password. What I need is a secure way to login as the given user without the password. Let's say I have a REST API and a trusted source-Java app using it. One way would be to allow such access from trusted IP addresses, but that's not enough. What would be the best way to do it? E.g. some trusted certificate that the client up must use. The goal is basically to authenticate as the given user from an internal application without the password. We assume that this is trusted application that should be allowed to do it, but still we need to somehow grant that trust and be able to verify it. Any help appreciated. Thank you

Upvotes: 0

Views: 350

Answers (1)

Michael Ströder
Michael Ströder

Reputation: 1318

You can of course use TLS client certificates for authenticating HTTPS access to your server. At the server-side you have implement some scheme to map the client certificate's subject name (DN) to some name or ID you're using for authorization.

Furthermore you need update procedures for the certificate in place, just like with server certificates. You should automate this and have certificate expiry monitoring in place.

An alternative might be looking into OAuth 2.0.

Upvotes: 1

Related Questions