~~NOTOC~~
====== 9. Authentication ======
**Scenarios:** 3 \\
**FFI Functions:** ~20 \\
**Status:** Planned
This category covers all scenarios for certificate-based authentication. mTLS client auth, smart card login, and SSO integration.
----
===== Scenarios =====
^ ID ^ Scenario ^ Description ^ Complexity ^ Status ^
| [[.:mtls_client_auth|9.1]] | mTLS Client Auth | Client certificate for API access | *** | Planned |
| [[.:smartcard_login|9.2]] | Smart Card Login | PIV/PKCS#11 based login | **** | Planned |
| [[.:sso_integration|9.3]] | SSO Integration | SAML/OIDC with certificates | **** | Planned |
----
===== Authentication Architecture =====
flowchart TB
subgraph CLIENT["Client"]
CERT[Client Certificate]
KEY[Private Key]
end
subgraph AUTH["Authentication"]
TLS[TLS Handshake]
VERIFY[Verify Certificate]
AUTHZ[Authorization]
end
subgraph ACCESS["Access"]
API[API/Service]
USER[User Context]
end
CLIENT --> TLS
TLS --> VERIFY
VERIFY --> AUTHZ
AUTHZ --> ACCESS
style VERIFY fill:#e3f2fd
style AUTHZ fill:#e8f5e9
----
===== Authentication Methods =====
^ Method ^ Description ^ Use Case ^
| **mTLS** | Mutual TLS with client certificate | API access, service-to-service |
| **Smart Card** | PIV/PKCS#11 card | Workstation login |
| **FIDO2/WebAuthn** | Hardware token | Web applications |
| **Certificate-based SSO** | SAML/OIDC with X.509 | Enterprise SSO |
----
===== mTLS Flow =====
sequenceDiagram
participant C as Client
participant S as Server
C->>S: ClientHello
S->>C: ServerHello + ServerCert
S->>C: CertificateRequest
C->>S: ClientCert + CertificateVerify
Note over S: Validate certificate
S->>S: Check chain + revocation
S->>C: Finished
C->>S: API Request (authenticated)
----
===== Industry-Specific Requirements =====
^ Industry ^ Method ^ Specifics ^
| **Healthcare** | Smart Card (eHBA) | gematik connector integration |
| **Energy/SCADA** | mTLS | Device identity, IEC 62351 |
| **Automotive** | Certificate (V2X) | Pseudonym certificates |
| **Industry 4.0** | mTLS + OPC UA | Machine identity |
----
===== Quick Start Code =====
==== mTLS Client Authentication ====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
// Load client certificate and key
var clientCert = ctx.LoadCertificate("client.crt.pem");
var clientKey = ctx.LoadPrivateKey("client.key.pem", password);
// Configure HttpClient with mTLS
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(
ctx.CreateX509Certificate2(clientCert, clientKey)
);
var httpClient = new HttpClient(handler);
// API call with client certificate
var response = await httpClient.GetAsync("https://api.example.com/secure/data");
==== Server-side Validation ====
// In ASP.NET Core Startup
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options =>
{
options.AllowedCertificateTypes = CertificateTypes.All;
options.RevocationMode = X509RevocationMode.Online;
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated = context =>
{
// Additional PQ validation
var cert = context.ClientCertificate;
var isValid = ctx.ValidateCertificate(cert, trustStore);
if (isValid)
{
// Extract claims from certificate
var claims = new[] {
new Claim(ClaimTypes.Name, cert.Subject),
new Claim("cert_thumbprint", cert.Thumbprint)
};
context.Principal = new ClaimsPrincipal(
new ClaimsIdentity(claims, context.Scheme.Name)
);
context.Success();
}
return Task.CompletedTask;
}
};
});
----
===== Related Categories =====
^ Category ^ Relationship ^
| [[.:zertifikate:start|3. Issuing Certificates]] | Create client certificates |
| [[.:tls:start|10. TLS/mTLS]] | TLS configuration |
| [[.:validierung:start|5. Validation]] | Certificate validation |
----
<< [[en:int:pqcrypt:szenarien:signaturen:start|<- 8. Digital Signatures]] | [[en:int:pqcrypt:szenarien:start|^ Scenarios]] | [[.:tls:start|10. TLS/mTLS ->]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>category authentication mtls smartcard sso}}