Support ZAAS client with AT-TLS #4363
Description
Is your feature request related to a problem? Please describe.
The ZAAS client support a couple of methods, some of them requires client certificate and some not:
String login(String userId, String password, String newPassword) throws ZaasClientException;
String login(String userId, String password) throws ZaasClientException;
String login(String userId, char[] password, char[] newPassword) throws ZaasClientException;
String login(String userId, char[] password) throws ZaasClientException;
String login(String authorizationHeader) throws ZaasClientException;
ZaasToken query(String token) throws ZaasClientException;
ZaasToken query(HttpServletRequest request) throws ZaasClientException;
ZaasOidcValidationResult validateOidc(String token) throws ZaasClientException;
String passTicket(String jwtToken, String applicationId) throws ZaasClientException, ZaasConfigurationException;
void logout(String token) throws ZaasClientException, ZaasConfigurationException;The issue appears when a customer wants to use AT-TLS between their service and the API Gateway. It is not possible to control signature by client certificate in there. Providing client certificate in REST calls like login is not correct, but for passticket it is necessary.
Describe the solution you'd like
The solution of this could be by providing an empty header Client-Cert for all endpoint that doesn't expect x509 authentication (basically all except passitcket). It is supported since #4347 (commit 2093d5efd48a970684c94ebc02f0946e3399df6e). Then it is possible to set up the client certificate in outbound AT-TLS rule and it will be (effectively) used only for passticket.
Describe alternatives you've considered
Create a documentation describing a potential risk.