Is it applicable to authenticate database users using X509 certificates through a middle web server tier?

Heya,

TLS mutual authentication is a great way to increase the security of your application by requiring both client and server to authenticate each other. However, there are potential security and user experience concerns with asking users to upload their own client certificates and keys. Here’s why:

1. User Experience: Managing client-side certificates is a complex task for most users, and it’s not something that the average user is accustomed to. It adds friction to the login process and could result in lost or confused users.

2. Security: If a user’s private key is compromised during transfer (or if they accidentally upload it somewhere insecure), that user’s database account would be at risk. You should never handle a user’s private key, and users should never be encouraged to send their private keys over the network, even over a secure connection.

A more typical setup might be like this:

1. Web Server <-> Database Server: Use mutual TLS authentication. Your web server would have a client key and certificate, and your database server would require clients to authenticate using this certificate. This ensures that only your web server can connect to the database server.

2. Client <-> Web Server: Use standard username/password authentication over HTTPS, and manage user sessions using secure cookies or tokens. When a user logs in, the web server would establish a connection to the database server on their behalf. The web server would then perform operations for the logged-in user.

This setup provides strong security while offering a typical user experience. The web server mediates all access to the database server, which reduces the attack surface area. You can also add other security measures like rate-limiting, automated suspicious activity detection, etc.

If you absolutely need to use client certificates for user authentication, consider distributing certificates to users out of band (i.e., not through the application itself) and instructing users to configure their web browsers to use the certificate when connecting to your site. This is a complex setup and could be overkill for most applications, and again, it is not user-friendly for most people. The use of client-side certificates for users is more common in corporate or high-security environments where additional controls and training can be provided.

Remember, the right authentication setup depends on your specific use case and security requirements. Always consider both the user experience and security implications of your choices.