Bug 5073 - Support smart-card authentication in Web Access
Summary: Support smart-card authentication in Web Access
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Target Milestone: LowPrio
Assignee: Peter Åstrand
Depends on:
Reported: 2014-04-08 09:40 CEST by Aaron Sowry
Modified: 2021-11-04 09:38 CET (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Aaron Sowry cendio 2014-04-08 09:40:41 CEST
Feature parity bug, should be achievable with most major browsers.
Comment 1 Pierre Ossman cendio 2014-04-08 09:53:45 CEST
This is unfortunately very difficult. The way smart card authentication works in browsers is that during the TLS handshake the server will ask the client to authenticate itself. Now the problem is how do we know when to do that? We have no idea what the URI is at this point. Normally you solve this by having a different hostname for the pages that require authentication. Not really ideal for our case though. And if you want to reuse the IP number you need SNI.

And with that solved, we still have to deal with the generally shitty interface in the browsers for smart cards.

What we can hope for is that a JavaScript interface for the smart cards/certificate storage shows up. Mozilla has their own thing[1], but I don't see any effort from the other browsers.

There is also the option of requiring a plugin, but that kind of defeats one of the main points of the HTML client.

[1] https://developer.mozilla.org/en/docs/JavaScript_crypto
Comment 2 Pierre Ossman cendio 2021-11-04 09:38:17 CET
Red Hat has apparently added smart card authentication to the web console included in RHEL 9. Could be worth checking what system they use and see if it is appropriate for us.

Note You need to log in before you can comment on or make changes to this bug.