9. Authentication

Scenarios: 3
FFI Functions: ~20
Status: Planned

This category covers all scenarios for certificate-based authentication. mTLS client auth, smart card login, and SSO integration.

Scenarios

ID	Scenario	Description	Complexity	Status
9.1	mTLS Client Auth	Client certificate for API access	* \| Planned \| \| 9.2 \| Smart Card Login \| PIV/PKCS#11 based login \| \| Planned \| \| 9.3 \| SSO Integration \| SAML/OIDC with certificates \| \| Planned \| —- ===== Authentication Architecture ===== <mermaid> flowchart TB subgraph CLIENT[„Client“] CERT[Client Certificate] KEY[Private Key] end subgraph AUTH[„Authentication“] TLS[TLS Handshake] VERIFY[Verify Certificate] AUTHZ[Authorization] end subgraph ACCESS[„Access“] API[API/Service] USER[User Context] end CLIENT –> TLS TLS –> VERIFY VERIFY –> AUTHZ AUTHZ –> ACCESS style VERIFY fill:#e3f2fd style AUTHZ fill:#e8f5e9 </mermaid> —- ===== Authentication Methods ===== ^ Method ^ Description ^ Use Case ^ \| mTLS \| Mutual TLS with client certificate \| API access, service-to-service \| \| Smart Card \| PIV/PKCS#11 card \| Workstation login \| \| FIDO2/WebAuthn \| Hardware token \| Web applications \| \| Certificate-based SSO \| SAML/OIDC with X.509 \| Enterprise SSO \| —- ===== mTLS Flow ===== <mermaid> sequenceDiagram participant C as Client participant S as Server C→>S: ClientHello S→>C: ServerHello + ServerCert S→>C: CertificateRequest C→>S: ClientCert + CertificateVerify Note over S: Validate certificate S→>S: Check chain + revocation S→>C: Finished C→>S: API Request (authenticated) </mermaid> —- ===== Industry-Specific Requirements ===== ^ Industry ^ Method ^ Specifics ^ \| Healthcare \| Smart Card (eHBA) \| gematik connector integration \| \| Energy/SCADA \| mTLS \| Device identity, IEC 62351 \| \| Automotive \| Certificate (V2X) \| Pseudonym certificates \| \| Industry 4.0**	mTLS + OPC UA	Machine identity

Quick Start Code

mTLS Client Authentication

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
 
// Load client certificate and key
var clientCert = ctx.LoadCertificate("client.crt.pem");
var clientKey = ctx.LoadPrivateKey("client.key.pem", password);
 
// Configure HttpClient with mTLS
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(
    ctx.CreateX509Certificate2(clientCert, clientKey)
);
 
var httpClient = new HttpClient(handler);
 
// API call with client certificate
var response = await httpClient.GetAsync("https://api.example.com/secure/data");

Server-side Validation

// In ASP.NET Core Startup
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
    .AddCertificate(options =>
    {
        options.AllowedCertificateTypes = CertificateTypes.All;
        options.RevocationMode = X509RevocationMode.Online;
        options.Events = new CertificateAuthenticationEvents
        {
            OnCertificateValidated = context =>
            {
                // Additional PQ validation
                var cert = context.ClientCertificate;
                var isValid = ctx.ValidateCertificate(cert, trustStore);
 
                if (isValid)
                {
                    // Extract claims from certificate
                    var claims = new[] {
                        new Claim(ClaimTypes.Name, cert.Subject),
                        new Claim("cert_thumbprint", cert.Thumbprint)
                    };
                    context.Principal = new ClaimsPrincipal(
                        new ClaimsIdentity(claims, context.Scheme.Name)
                    );
                    context.Success();
                }
                return Task.CompletedTask;
            }
        };
    });

Related Categories

Category	Relationship
3. Issuing Certificates	Create client certificates
10. TLS/mTLS	TLS configuration
5. Validation	Certificate validation

« <- 8. Digital Signatures | ^ Scenarios | 10. TLS/mTLS -> »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

category, authentication, mtls, smartcard, sso