TLS Client Certificate authentication¶
WAMP transports running over TLS can make use of TLS transport-level authentication.
This authentication takes place after the completion of the TLS handshake.
Static¶
An example static configuration for this authentication is
"auth": {
"tls": {
"type": "static",
"principals": {
"client_0": {
"certificate-sha1": "B6:E5:E6:F2:2A:86:DB:3C:DC:9F:51:42:58:39:9B:14:92:5D:A1:EB",
"role": "backend"
}
}
}
}
Here, a client with the authid
“client_0” needs to connect using
TLS and using a certificate with the given fingerprint
(certificate-sha1
) in order to be able to authenticate. It is then
assigned the authrole
“backend”.
We provide a full working example for this.
Dynamic¶
With dynamic authentication, the URI of an authenticator component is provided as part of the config, and this is then called on each authentication attempt.
"auth": {
"tls": {
"type": "dynamic",
"authenticator": "com.example.authenticate"
}
}
We provide a full working example for this.
For more on dynamic authenticators read this documentation page.