Skip to content
/ flask-tlsauth Public
forked from stef/flask-tlsauth

flask extension for doing TLS client cert authentication

0 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kristofer/flask-tlsauth

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
demo
demo
 
 
flask_tlsauth
flask_tlsauth
 
 
MANIFEST.in
MANIFEST.in
 
 
README.org
README.org
 
 
setup.py
setup.py
 
 

Repository files navigation

Flask-TLSAuth

Flask-TLSAuth integrates a minimal certificate authority (CA) and implements TLS client certificate authentication. It depends on nginx for handling the TLS authentication part.

Installation

pip install flask_tlsauth

Flask-TLSAuth depends on tlsauth which provides minimal tools to act as a CA. Please follow the “CA and https service install” steps from https://github.com/stef/tlsauth to set up your webserver and CA.

tlsauth decorator

Flask-TLSAuth provides a simple decorator to guard your entry points:

from flask import Flask, Response, redirect
import os
app = Flask(__name__)
app.secret_key = 'some secret randomness'

# we need a CA
from tlsauth import CertAuthority
import flask_tlsauth as tlsauth

# previously we setup up the CA according to the tlsauth doc
ca=CertAuthority('<path-to-ca>')

adminOs=['CA admins']
# grants admin access to anyone with a
# valid cert asserting membership in "CA admins"
tlsauth.tlsauth_init(app, ca, groups=adminOs)

def unauth():
    return redirect("/")

@app.route('/hello')

# lets protect this valuable function,
# redirecting unauthorized visitors to /
@tlsauth.tlsauth(unauth=unauth, groups=adminOs)
def hello():
    return Response("hello world")

Managing certs

Flask-TLSAuth provides a few default routes to manage the certs and the CA.

tlsauth/register

Visitors can register like on a normal site, but when done, they get a PKCS12 certificate ready to be saved and imported in all browsers. This is totally automatic and there’s no check if the specified organization is not a privileged one (like “CA admins” in the above example). This really provides no security, for bots and scripts it’s even easier to use these certs than for normal humans. Other mechanisms must be deployed to provide meaningful authentication.

tlsauth/certify

Visitors can submit their Certificate Signing Request (can be easily generated using gencert.sh from tlsauth), which depending on configuration either returns automatically a signed certificate (no meaningful authentication this way, avoid this!), or it gets stored for later approval by the “CA admins”.

tlsauth/cert

Returns the CA root certificate in PEM format, for import into your browser.

tlsauth/csrs

Displays a list of incoming CSRs to any certified member of the “CA admin” group. The certs can be either rejected or signed, in the later case the resulting certificate is sent to the email address of the subject.

tlsauth/test

Displays whether you are TLS authenticated and what your distinguished name is.

About

flask extension for doing TLS client cert authentication

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%