证书x509 Laravel身份验证SSL
[英]cert x509 Laravel auth SSL
问题描述
I'm trying to implement a digital signature to log in in a web with Laravel(php) and I can't find good information. 
我正在尝试实现数字签名以使用Laravel(php)登录网络,但是我找不到很好的信息。
I think I should use x509 SSL but I can't find nothing. 我认为我应该使用x509 SSL,但我什么也没找到。 I just found that: 我刚发现:
https://github.com/ingria/laravel-x509-auth/wiki/Using-other-cert-attributes https://github.com/ingria/laravel-x509-auth/wiki/Using-other-cert-attributes
https://github.com/ndavison/laravel-clientcert/blob/master/ClientCertAuthMiddleware.php#L33 https://github.com/ndavison/laravel-clientcert/blob/master/ClientCertAuthMiddleware.php#L33
But I'm not sure about that. 但是我不确定。 I would appreciate any help. 我将不胜感激任何帮助。
1 个解决方案
解决方案1
0 2018-07-27 18:38:32
The short answer: 简短的答案:
You need to configure your web server to challenge the client when it connects for a client certificate. 您需要将Web服务器配置为在连接客户端证书时挑战客户端。 That is usually done by specifying your client certificate authority you accept a cert from. 通常,这是通过指定接受证书的客户证书颁发机构来完成的。
I have written auth controllers in Laravel 5.x before for client tls auth in combination with LDAP, specifically using windows active directory certificate services user certificates. 我之前在Laravel 5.x中为结合LDAP的客户端tls auth编写了身份验证控制器,特别是使用Windows Active Directory证书服务用户证书。 External directory information is still required once they are authenticated to determine group based permissions for example. 外部目录信息经过身份验证以确定例如基于组的权限后,仍然需要外部目录信息。
Once the web server challenges and accepts a client cert, your application needs to do a bunch of validation, including what attribute are you going to use to uniquely identify user? 一旦Web服务器质询并接受了客户端证书,您的应用程序就需要进行一系列验证,包括您将使用什么属性来唯一标识用户? LDAP distinguished name? LDAP专有名称? User principal name? 用户主体名称? Non-windows certificate attribute? 非Windows证书属性?
Use an X509 cert dumper like openssl -in client.cer -noout -text to look at all the attributes and decide what you need to check and map to a user account in Laravel. 使用像opensl -in client.cer -noout -text这样的X509证书转储者可以查看所有属性,并确定需要检查哪些内容并映射到Laravel中的用户帐户。
That all said, most people dont just rely on a user cert (although that is super handy for no-interaction-required and very secure authentication) they leverage an external identity provider via something like SAML or OAUTH. 综上所述,大多数人不仅仅依靠用户证书(尽管对于不需要交互且非常安全的身份验证非常方便),他们通过SAML或OAUTH等方式利用外部身份提供商。
In my case, I use Azure active directory at work and register my apps in the corporate AAD then use a handy laravel service provider like https://github.com/metaclassing/PHP7-Laravel5-EnterpriseAuth which was based on the laravel socialite for azure-ad and some added cert auth goodness. 就我而言,我在工作中使用Azure活动目录,并在公司AAD中注册我的应用程序,然后使用方便的laravel服务提供程序,例如https://github.com/metaclassing/PHP7-Laravel5-EnterpriseAuth ,该服务基于laravel社交网站azure-ad和一些附加的证书身份验证优点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.