flask-tlsauth

flask extension for doing TLS client cert authentication

Stars
31
Committers
2
View Code on GitHub
Ecosystems: Python
  • Flask-TLSAuth

Flask-TLSAuth integrates a minimal certificate authority (CA) and implements TLS client certificate authentication. It depends on nginx for handling the TLS authentication part.

** Installation #+BEGIN_SRC sh pip install flask_tlsauth #+END_SRC Flask-TLSAuth depends on tlsauth which provides minimal tools to act as a CA. Please follow the "CA and https service install" steps from https://github.com/stef/tlsauth to set up your webserver and CA.

** tlsauth decorator Flask-TLSAuth provides a simple decorator to guard your entry points: #+BEGIN_SRC python from flask import Flask, Response, redirect import os app = Flask(name) app.secret_key = 'some secret randomness'

we need a CA

from tlsauth import CertAuthority import flask_tlsauth as tlsauth

previously we setup up the CA according to the tlsauth doc

ca=CertAuthority('')

adminOs=['CA admins']

grants admin access to anyone with a

valid cert asserting membership in "CA admins"

tlsauth.tlsauth_init(app, ca, groups=adminOs)

def unauth(): return redirect("/")

@app.route('/hello')

lets protect this valuable function,

redirecting unauthorized visitors to /

@tlsauth.tlsauth(unauth=unauth, groups=adminOs) def hello(): return Response("hello world") #+END_SRC

** Managing certs Flask-TLSAuth provides a few default routes to manage the certs and the CA.

*** /tlsauth/register/ Visitors can register like on a normal site, but when done, they get a PKCS12 certificate ready to be saved and imported in all browsers. This is totally automatic and there's no check if the specified organization is not a privileged one (like "CA admins" in the above example). This really provides no security, for bots and scripts it's even easier to use these certs than for normal humans. Other mechanisms must be deployed to provide meaningful authentication.

*** /tlsauth/certify/ Visitors can submit their Certificate Signing Request (can be easily generated using gencert.sh from tlsauth), which depending on configuration either returns automatically a signed certificate (no meaningful authentication this way, avoid this!), or it gets stored for later approval by the "CA admins".

*** /tlsauth/cert/ Returns the CA root certificate in PEM format, for import into your browser.

*** /tlsauth/csrs/ Displays a list of incoming CSRs to any certified member of the "CA admin" group. The certs can be either rejected or signed, in the later case the resulting certificate is sent to the email address of the subject.

*** /tlsauth/test/ Displays whether you are TLS authenticated and what your distinguished name is.

Related Projects
stash

a private dropbox

07 Apr 2013 17
certauth

Simple CertificateAuthority and host certificate creation, useful for man-in-the-middle HTTPS proxy

29 Mar 2015 25
tlsauth

a simple framework for nginx based tls auth with a flask example

19 Mar 2013 22
certidude

Easy to use Certificate Authority web service for OpenVPN, StrongSwan and HTTPS

12 Jul 2015 126
certsling

Opinionated letsencrypt acme client working via a ssh port forward.

17 Dec 2015 17
autocert

Automatic TLS cert issuance and renewal for Python web apps

06 Mar 2021 9
cert-hero

Python Stand-alone Library to Download the SSL Certificate for Any Host™

16 Oct 2023 7
Certipy

Tool for Active Directory Certificate Services enumeration and abuse

06 Oct 2021 2,333
certbot

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on yo...

12 Nov 2014 30,940