Skip to content

Commit 126f3b9

Browse files
adellapeadellape
authored
Merge pull request #1888 from liggitt/request-header-cn
Allow restricting allowed client certificates for RequestHeaderIdentityProvider
2 parents b01698d + 8bcb625 commit 126f3b9

File tree

1 file changed

+14
-8
lines changed

1 file changed

+14
-8
lines changed

install_config/configuring_authentication.adoc

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -608,14 +608,16 @@ oauthConfig:
608608
challengeURL: "https://www.example.com/challenging-proxy/oauth/authorize?${query}" <5>
609609
loginURL: "https://www.example.com/login-proxy/oauth/authorize?${query}" <6>
610610
clientCA: /path/to/client-ca.file <7>
611-
headers: <8>
611+
clientCommonNames: <8>
612+
- my-auth-proxy
613+
headers: <9>
612614
- X-Remote-User
613615
- SSO-User
614-
emailHeaders: <9>
616+
emailHeaders: <10>
615617
- X-Remote-User-Email
616-
nameHeaders: <10>
618+
nameHeaders: <11>
617619
- X-Remote-User-Display-Name
618-
preferredUsernameHeaders: <11>
620+
preferredUsernameHeaders: <12>
619621
- X-Remote-User-Login
620622
----
621623
<1> This provider name is prefixed to the user name in the request header to
@@ -639,13 +641,17 @@ replaced with the current query string.
639641
<7> Optional: PEM-encoded certificate bundle. If set, a valid client certificate
640642
must be presented and validated against the certificate authorities in the
641643
specified file before the request headers are checked for user names.
642-
<8> Header names to check, in order, for the user identity. The first header containing
644+
<8> Optional: list of common names (`cn`). If set, a valid client certificate with
645+
a Common Name (`cn`) in the specified list must be presented before the request headers
646+
are checked for user names. If empty, any Common Name is allowed. Can only be used in combination
647+
with `clientCA`.
648+
<9> Header names to check, in order, for the user identity. The first header containing
643649
a value is used as the identity. Required, case-insensitive.
644-
<9> Header names to check, in order, for an email address. The first header containing
650+
<10> Header names to check, in order, for an email address. The first header containing
645651
a value is used as the email address. Optional, case-insensitive.
646-
<10> Header names to check, in order, for a display name. The first header containing
652+
<11> Header names to check, in order, for a display name. The first header containing
647653
a value is used as the display name. Optional, case-insensitive.
648-
<11> Header names to check, in order, for a preferred user name, if different than the immutable
654+
<12> Header names to check, in order, for a preferred user name, if different than the immutable
649655
identity determined from the headers specified in `headers`. The first header containing
650656
a value is used as the preferred user name when provisioning. Optional, case-insensitive.
651657
====

0 commit comments

Comments
 (0)