Enabling 2-way PKI authentication

Created by: bitsandbytes

I need 2-way authentication to be configurable because my company requires all internal webapps to use it.

The proposal is three-fold. I want the following to be configurable:

• Configure the webapp to request the client's certificate,
• Once the webapp receives the certificate pass information about the cert to the expressjs server,
• Make the webapps' certificate and key configurable.

Background on this:

• Two-way authentication involves the browser/client sending a user's certificate to the back-end.
  • Passport, for example, has a strategy for this: https://github.com/ripjar/passport-client-cert
• In proxying environments, it's acceptable for the webapp/frontend to send certificate attributes to the backend
  • This was discussed here, #1413 (closed), which provides some useful links:
  • http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
  • https://serverfault.com/questions/622855/nginx-proxy-to-back-end-with-ssl-client-certificate-authentication
  • https://lists.gt.net/apache/users/350827

Without the above I can't easily test my passport setup and can't easily test my custom authentication code until I build for production.

My open questions are:

• Is there any way to customize the webapp's configuration? It appears to me we have to rely on create-react-app to do it for us.
• My understanding from #1413 (closed) is that WDS will also need modifications in order for the webapp to pass cert attributes to the backend. I'll need to raise an issue for that over at WDS. Is this correct?