Skip to content

[FEATURE] Add support for X509v3 extensions for authentication #5643

New issue
New issue
Open
#5701
Open
[FEATURE] Add support for X509v3 extensions for authentication#5643
#5701
Assignees
asifabashar
Labels
enhancementNew feature or requesttriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.
@asifabashar

Description

@asifabashar
asifabashar
opened on Sep 17, 2025

Is your feature request related to a problem?
Currently there is no option to use X509v3 extensions fields for authentication which allows for enhanced certificate authentication

What solution would you like?
We need functionality to be added to security plugin in OpenSearch , to be able to read "X509v3 Subject Alternative Name: " field from certificate content.
This will use username_attribute field to configure this attribute in config.yaml in opensearch security config. This value in certificate will be compared with role mapped username in Opensearch. This is a request to add "X509v3 Subject Alternative Name: " field as additional possible username_attribute field along with existing possible attributes such as CN and DN.

X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:<generated value >

            Authority Information Access: 
                CA Issuers - URI:<generated value>
                OCSP - URI:<generated value>

            X509v3 Subject Alternative Name: 
                <generated value: this is the field , that can be used for authentication>
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:<generated value>

            X509v3 Subject Key Identifier: 
                 <generated value: this is another field , that can be used for authentication>
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment

Below config block is from config.yaml where, username attribute need to be set to "X509v3 Subject Alternative Name" , then code need to be enhanced in security plugin to use this attribute to compare user along with exiting possible values such as dn or cn.

    clientcert_auth_domain:
        authentication_backend:
          type: "noop"
        description: "Authenticate via SSL client certificates"
        http_authenticator:
          challenge: false
          config:
            username_attribute: null
          type: "clientcert"
        http_enabled: true
        order: 2
        transport_enabled: false

After change, config will also have capability to configure as below username_attribute option.

    clientcert_auth_domain:
        authentication_backend:
          type: "noop"
        description: "Authenticate via SSL client certificates"
        http_authenticator:
          challenge: false
          config:
            username_attribute: "X509v3 Subject Alternative Name"
          type: "clientcert"
        http_enabled: true
        order: 2
        transport_enabled: false

the code should ensure backward compatibility of configuring cn or dn attribute in config.yaml remains intact.

What alternatives have you considered?
The enhanced functionality is not available.

Do you have any additional context?
The additional SAN attributes helps with more granular level authentication and authorization .

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requesttriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions