You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When using Mutual TLS authentication in Tyk, it is not possible to upload a Certificate Authority (CA) certificate in the API definition and make Tyk check if the presented client certificate was issued by said CA. Tyk is only able to compare the Hash of the presented certificate against the hashes of all certificates allow-listed in the API definition.
This behavior severely limits the usability of Tyks mTLS authentication method because it is often times not possible or practical to allow-list every issued certificate that should have access to an API. At @paymenttools we're currently using a custom Go authentication plugin to work around this issue, but it would be great if Tyk would properly support CA chain validation in mTLS
Reproduction steps
Steps to reproduce the behavior:
Generate your own self-signed CA and a client certificate.
Create an API using mTLS and upload the CA certificate
Try to use the client certificate to authenticate at the API
Actual behavior
The client certificate is not allowed to access the API since it's hash does not match the hash of the uploaded CA certificate
Expected behavior
The client certificate was granted access because it could be validated against the uploaded CA certificate.
The text was updated successfully, but these errors were encountered:
Branch/Environment/Version
Describe the bug
When using Mutual TLS authentication in Tyk, it is not possible to upload a Certificate Authority (CA) certificate in the API definition and make Tyk check if the presented client certificate was issued by said CA. Tyk is only able to compare the Hash of the presented certificate against the hashes of all certificates allow-listed in the API definition.
This behavior severely limits the usability of Tyks mTLS authentication method because it is often times not possible or practical to allow-list every issued certificate that should have access to an API. At @paymenttools we're currently using a custom Go authentication plugin to work around this issue, but it would be great if Tyk would properly support CA chain validation in mTLS
Reproduction steps
Steps to reproduce the behavior:
Actual behavior
The client certificate is not allowed to access the API since it's hash does not match the hash of the uploaded CA certificate
Expected behavior
The client certificate was granted access because it could be validated against the uploaded CA certificate.
The text was updated successfully, but these errors were encountered: