====== AuthClientCert Plugin ======

---- plugin ----
description: Authenticate and create user from client x509 certificate
author     : Pawel Jasinski
email      : pawel.jasinski@gmail.com
type       : auth
lastupdate : 2019-03-30
compatible : Greebo
depends    : authplain
conflicts  : authchained
similar    : authhttp, authremoteuser
tags       : authentication x509 smartcard

downloadurl: https://github.com/paweljasinski/dokuwiki-plugin-authclientcert/zipball/master
bugtracker : https://github.com/paweljasinski/dokuwiki-plugin-authclientcert/issues
sourcerepo : https://github.com/paweljasinski/dokuwiki-plugin-authclientcert
donationurl:

screenshot_img :
----

===== Description =====

This plugin authenticate user based on content of client certificate provided by a reverse proxy or a web server. The certificate is picked up from the _SERVER variable. Either SSL_CLIENT_CERT or any HTTP header can be configured as a source of certificate. This plugin expects certificate in PEM format. The BEGIN/END CERTIFICATE fields are optional.

This plugin does not perform any certificate validation. It is up to the configured web server or reverse proxy to validate the certificate before passing it.

The following table shows mapping between certificate fields and user info.

^ Certificate  ^ User Info  ^
| name employeeNumber (OID:2.16.840.1.113730.3.1.3)  | user((User name is sanitized the same way as in authplain plugin -- e.g. all character are converted to lowercase.))  |
| extensions subjectAltName email  |email  |
| subject CN  | real name|

If the certificate is present and all of the above fields are not empty, a user is logged in. New users are created on the first login - random passwords are generated for consistency.

Logging out and profile editing are disabled. However, the administrator can modify group membership or delete  a user.

Authclientcert plugin uses [[plugin:authplain]] as back-end storage.

===== Installation =====

  * Install the plugin using the [[plugin:plugin|Plugin Manager]] and the download URL above, which points to latest version of the plugin. Refer to [[:Plugins]] on how to install plugins manually.
  * Disable anonymous access and self registration
  * Select plugin as a authentication backend
  * Configure reverse proxy to validate and deliver certificate in X_SSL_CLIENTCERT_BASE64 header
  * Configure name of http header where certificate is delivered HTTP_X_SSL_CLIENTCERT_BASE64
  * Configure name of the group where new users are assigned.

===== Development =====

=== Change Log ===

  * **2019-02-16**
    * Initial release
  * **2019-03-30**
    * It is allowed to delete a user
    * If login is password based, logout is enabled

=== Known Bugs and Issues ===

This plugin does not work with [[plugin:authchained|authchained]].

=== ToDo/Wish List ===

The selection of the fields and mapping is hard coded to match content of a smartcard I have. It is very likely that the selection does not match your cetificate.

The easiest way to adjust it is to edit plugins auth.php.

Long term it make sense to capture most common cases as configuration. Please, let me know about your needs by opening an issue at [[https://github.com/paweljasinski/dokuwiki-plugin-authclientcert/issues|Github]], or even better create a PR.

===== FAQ =====

===== Discussion =====