CertificateThumbprintFilter
Extracts a Java certificate from a trusted header or from a TLS connection, computes the SHA-256 thumbprint of that certificate, and makes the thumbprint available for the ConfirmationKeyVerifierAccessTokenResolver. Use this filter to enable verification of certificate-bound access tokens.
CertificateThumbprintFilter computes and makes available the SHA-256 thumbprint of a client certificate as follows:
-
Evaluates a runtime expression and yields a
java.security.cert.Certificate
-
Hashes the certificate using SHA-256
-
Base64url-encodes the result
-
Stores the result in the contexts chain
The runtime expression can access or build a client certificate from any information present at runtime, such as a PEM in a header, or a pre-built certificate.
Use CertificateThumbprintFilter with ConfirmationKeyVerifierAccessTokenResolver when the IG instance is behind the TLS termination point, for example, when IG is running behind a load balancer or other ingress point.
Usage
{
"name": string,
"type": "CertificateThumbprintFilter",
"config": {
"certificate": runtime expression<certificate>,
"failureHandler": Handler reference,
}
}
Properties
"certificate"
: runtime expression<certificate>, required-
An EL expression which, when evaluated, yields an instance of a
java.security.cert.Certificate
.Use the following Functions in the expression to define hash, decoding, and certificate format:
-
digestSha256
, to calculate the SHA-256 hash of the certificate. -
decodeBase64url
, to decode an incoming base64url-encoded string. -
pemCertificate
, to convert a PEM representation string into a certificate.
See Examples.
-
Examples
The following example use the certificate associated with the incoming HTTP connection:
{
"name": "CertificateThumbprintFilter-1",
"type": "CertificateThumbprintFilter",
"config": {
"certificate": "${contexts.client.certificates[0]}"
}
}
The following example is adapted for a deployment with NGINX as the TLS
termination, where NGINX fronts IG. NGINX provides the client
certificate associated with its own incoming connection in the
x-ssl-client-cert
header. The certificate is encoded as PEM, and then
url-encoded:
{
"name": "CertificateThumbprintFilter-2",
"type": "CertificateThumbprintFilter",
"config": {
"certificate": "${pemCertificate(urlDecode(request.headers['x-ssl-client-cert'][0]))}"
}
}