RE: Encountering certificate issue causing customers to be locked out

@john-spellman, Can you let us a bit more about how you created the key? Which option did you choose to import? Which certificate type did you use? You could try different types.

Anything you can tell us about which Identity Provider you created and what the architecture looks like will help. Is FusionAuth the IdP/SP or both?

Also, If you can share the settings of you SAML tab for the application (without sharing secrets), that may give us some insight to the issue as well, if you are using FusionAuth as an IdP.

I don't have a ton of experience with importing certificates, so if anyone out there knows better, please feel free to chime in.

I have set up a key for a SAML provider before and using an RSA/RS256 type key. I generated that key with FusionAuth, but I don't see any reason you couldn't import the key you need.

You may want to check out this blog to test a simple SAML configuration if your situation reflects the setup.

By using a proxy or gateway that supports mutual TLS, you can use it with FusionAuth.

For example, AWS ALB supports Mutual TLS verify where the ALB does client certificate verification. Nginx has similar functionality.

If you are running FusionAuth 'bare' and terminating TLS directly at the FusionAuth server, mutual TLS is not supported.

Hiya,

Does FusionAuth support mutual TLS where the client and server both have certificates?

(I'm not talking about mTLS token binding; I understand that is not implemented per https://github.com/FusionAuth/fusionauth-issues/issues/1025 .)

@john-spellman I'm glad you have access to the instance. If you need help in a non public forum and you have a paid plan which includes technical support, please open a ticket via your account portal.

If you don't have a paid plan and still want the private support, please check out theEssentials Plan. You will get private email support with that.

Other than that, I would recommend posting the issues here and removing any sensitive info.

Also, based on your request, be very careful of anyone reaching out to help privately. I like to believe the world is a good place, but there are bad actors out there looking to take advantage of people in your situation.

Hiya,

There are currently no plans to support the full mTLS spec. We are discussing DPoP (tracking issue) internally.

However, depending on your needs, there may be a workaround.

Since the client credentials grant depends on Entities, you can leverage this to inject a client certificate hash into an access token obtained through the client credentials grant.

How this works at a high level:

• Client Certificate Registration
  During onboarding, your customer (e.g., a bank) registers their client certificate. A hashed value of that certificate is securely stored in FusionAuth (entity.data). The hashing process is outlined in the RFC.
• Client Credentials Request
  When the bank requests an access token using the Client Credentials grant, a FusionAuth Lambda is invoked before the JWT is signed.
• Augment Custom Claims
  The Lambda code looks up the stored certificate hash and injects it as a claim in the JWT. For maximum compatibility with RFC 8705, it is recommended to add this hash to the cnf object in the JWT, like so:

"cnf":{
  "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2"
}

• Accessing the Resource Server or API
  The customer presents both the access token and presents their client certificate when calling your API.
• Validation Flow
  Your API:
  • verifies the JWT signature
  • computes a hash of the presented client certificate
  • compares it to the x5t#S256 claim in the token
• Decision Logic
  If the hashes match, the request is bound to the correct client and access is granted to the protected resource.

Does FusionAuth support mTLS token binding (RFC 8705, section 3) for the client credentials grant?

I found this issue but wasn't sure what the current status is: https://github.com/FusionAuth/fusionauth-issues/issues/1025

@kiouplidis, can you please give us a little more detail on how you are set up and exactly what you are trying to do. I see you are getting a NetworkError when trying to reach (auth.*.com). Is that an instance of FusionAuth hosted by FusionAuth or is that an instance of FusionAuth that you have deployed? How are you trying to access the resource? Through a web browser or are you trying to execute an API call? The more information you can provide, the easier it will be to help.

If you have a paid plan which includes technical support, please open a ticket via your account portal.

@john-spellman can you tell us a little more about your set up and situation? Was it working before? What changed? Can the one user still log into prod? The more detail you give the easier it will be for someone to help. Please do not post any passwords or secrets.

@laurent-bartet awesome! So it sounds like you had things set up right, you just were not logged out, so when you went back the reconcile event never took place cause you were already logged in. Is that right?

@laurent-bartet hmm.., since the lambda seems to be set up correctly but appears to not be hitting, let's take a step back and look at the configuration. Can you tell me a little more about that? What identity providers you are using and how they are configured? I read you are using SAML, but it appears in the log that you are using OAuth2. If you are using OAuth2, you might be able to use a JWT populate lambda in that case, but would like to know more about your setup.