I am trying to setup a web service which uses x509 client certificates sent during the TLS handshake for authentication as well as to check whether the user has the auhorization to access the requested ressource.
The idea is that each user is givenan access level, and some ressources are only available to the higher levels. The certificate is then used to match the user to its level.
I have had no problem configuring Apache to verify the certificate against the root CA and to forward the certificate to the back-end application ( a python-based XML-RPC server).
However I am struggling to choose which attribute(s) of the certificate I should use to map the user to his level :
I am currently leaning towards the public key, but is it the best choice in this situation ? Or is there a better option ?
Thanks in avance
Typically authentication with client certificates is done by having some private CA which issuing the client certificates and only trusting the CA when validating the client certificates. In this case the trusted CA and only this CA has full control over the subject of the certificate which means that mapping the CN to users is perfectly fine and also commonly used.
If you instead for whatever reason want to allow certificates issued by arbitrary CA's then such simple mapping can not be done as you've realized yourself. In this case a mapping between certificate pubkey or certificate fingerprint might be done, which of course requires that it is known up-front which exact certificate to expect for a specific user. And, this mapping need to be somehow renewed whenever the client certificate needs to change because it was expired.