Description

Acutally in the Symfony\Component\Security\Http\Authenticator\X509Authenticator, the userIdentifier is always the emailAdress part of the TLS subject:

Subject: C = FR, O =My Organization, CN = user1, emailAddress = user1@myorg.fr

In some case, we do not identify user by their email address and prefer use the CN (Common Name) as identifier, because our users do not have email, or the x509 Client Certificate do not contains email (eg: in case of Caddy server, the emailAddress is not part of the TLS Subject).

Is it better to add a parameter to defined the subject field (eg: CN or emailAddress) we want ? But it can cause trouble in case of Apache, because the userKey (aka: field extract from tls subject) parameter contains the SSL_CLIENT_S_DN_Email fastcgi env (Apache only).

In the case of Caddy or Nginx, the HTTP server only return the SSL_CLIENT_S_DN fastcgi env (do not split the string and extract CN or emailAddress), and the Authenticator try to extract it from the credentialsKey parameter (aka tls subject).

Actual x509 config:

• userKey: default on SSL_CLIENT_S_DN_Email (Apache) => Email part from the TLS Subject
• credentialsKey: default on SSL_CLIENT_S_DN (All HTTP server) => TLS Subject

Example

No response