top | item 44019260

(no title)

devman0 | 9 months ago

Client certs are strongly bound to the TLS handshake, and thus a connection, which makes them pretty unfriendly to a lot of proxy driven architectures, where as JWTs and Cookies can pass through proxies trivially, and are bound to requests not connections. There is some work being done around standardizing pass through of client cert information through proxies, but I'm not aware of any widespread support.

discuss

cyberpunk|9 months ago

Istio passes the real client cert in a header through to the backend which makes it not too bad to validate in such cases (nginx or whatever can quite easily do this too)

devman0|9 months ago

Header passthrough is nice to have, but there isn't really a standard for it for TLS, and it isn't well supported by most applications that are interested in doing mTLS. Additionally there is a trust component required between proxy and application and while can be accounted for in the architecture between the two a JWT instead passes through nicely and can be independently validated by the application.