I’ve had OIDC working well for incus. But lately for certain actions (like renaming a VM) the UI just hangs. Looking at the browser console, these requests are being rejected as the “server requires a client certificate” Is it possible to disable this? I still want mTLS for a few cli clients, but that doesn’t mean the server needs to request the certificate.
What operations are those exactly?
The server sets the TLS bit saying it accepts client certificates, if we don’t set that bit then no TLS client would send their certificate to us. But it’s just a request so it can be ignored as is normally done with the UI stuff when using OIDC.
I saw this in Orion browser (WebKit). The operation was renaming a VM. Is the code checking OIDC auth cookie before it checks the TLS cert? Perhaps the order is different for the rename operation? Because some browsers nag you to choose a client cert so my only option is to choose a dummy one and then auth with SSO.
No, the auth logic is always the same on our end.
We’re also not triggering the TLS prompt, there’s actually no way to do that in the TLS protocol. All you can do is set a bit which says “server accepts TLS authentication”, this bit is set on the TLS endpoint that Incus listens on, so all TLS connections with Incus will notice that bit being set and then may prompt the user for a certificate, use one they already have or just ignore that bit entirely if they don’t support TLS client authentication.