Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Gateway MTLS "clientCert" Availability? #469

Open
coreyowensbillgo opened this issue Jul 25, 2022 · 5 comments
Open

API Gateway MTLS "clientCert" Availability? #469

coreyowensbillgo opened this issue Jul 25, 2022 · 5 comments

Comments

@coreyowensbillgo
Copy link

coreyowensbillgo commented Jul 25, 2022
edited
Loading

Serverless Java Container version: eg. 1.5
1.6

Implementations: Jersey / Spring / Spring Boot / Spring Boot 2 / Spark
Spring Boot

Framework version: eg SpringBoot 2.2.6.RELEASE
2.6.6

Frontend service: REST API / HTTP API / ALB
REST API

Scenario

I am utilizing MTLS authentication for my API Gateway: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

In the documentation, it mentions that the clientCert is populated in the API GW's event payload when it is passed along to Lambda authorizers via the requestContext.

I want to base my authorization on the clientCert's subjectDN's CN within my java code, but I am not sure if it's possible or how I can access the clientCert from within my Java lambda utilizing aws-serverless-java-container. (I realize the lambda isn't a lambda authorizer, but I was hoping it may still be accessible) Any suggestions?

Expected behavior

I would expect that clientCert is available within AwsProxyRequest's AwsProxyRequestContext
EX:

    "authentication": {
        "clientCert": {
            "clientCertPem": "-----BEGIN CERTIFICATE-----\nMIIEZTCCAk0CAQEwDQ...",
            "issuerDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Private CA",
            "serialNumber": "1",
            "subjectDN": "C=US,ST=Washington,L=Seattle,O=Amazon Web Services,OU=Security,CN=My Client",
            "validity": {
                "notAfter": "Aug  5 00:28:21 2120 GMT",
                "notBefore": "Aug 29 00:28:21 2020 GMT"
            }
        }
    },
    ...

Actual behavior

I don't see anything in AwsProxyRequest or AwsProxyRequestContext related to certs or authentication.

Steps to reproduce

Set up a REST API Gateway pointing to your aws-serverless-java-container lambda. Add custom domain. Create certs. Enable MTLS. Make call to the REST API Gateway and attempt to find clientCert object from API GW event payload.

Full log output

N/A
@deki
Copy link
Collaborator

deki commented Jul 25, 2022

Hi @coreyowensbillgo,
thanks for reporting this issue. Would you be willing to work on a pull request for it? I'm happy to review, merge it and release a new version.
Otherwise I'll look into it mid/ end of August.

@coreyowensbillgo
Copy link
Author

@deki I'll dig further in and confirm if API Gateway is even expanding the event payload with the the clientCert information when it is sent to a Lambda that's not an "lambda authorizer". Thank you for the quick reply.

@deki
Copy link
Collaborator

deki commented Aug 26, 2022

Hi @coreyowensbillgo, have you made progress in the meantime? I plan to get a 1.9 release next month and would like to include a fix.

deki added a commit to deki/aws-serverless-java-container that referenced this issue Sep 5, 2022
@deki
feat: support client cert properties (aws#469)
4cc4a3b
@coreyowensbillgo
Copy link
Author

@deki Apologies for the late response, I've been away on vacation. My work around this had been put on the back-burner, but I'm happy to see you've made some progress!

@deki
Copy link
Collaborator

deki commented Sep 6, 2022

Yeah I just added the missing properties but haven't made further progress (unittests, testing, docs, ...).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deki @coreyowensbillgo