Hi,
I would like to use X509 authentication with CAS REST API (as described here:
https://apereo.github.io/cas/5.2.x/protocol/REST-Protocol.html). I'm surprised that there is a certificate parameter to the request, as I thought the certificate should be taken from the servlet container environment, as it's done for the non REST X509 authentication (
https://apereo.github.io/cas/5.2.x/installation/X509-Authentication.html)
My tries show that the certificate that is passed in the REST request is accepted without private key owning check.
How this X509 REST authentication feature is supposed to be used, avoiding trivial non owner certificate use (am I missing something) ?
Many thanks in advance for any help !
Best Regards