Add mTLS client certificate authentication support (RFC 8705)

[Copilot]

Adds mutual TLS client authentication using application.Cert validation in both AutoSigninFilter and the OAuth token endpoint, per maintainer direction.

Changes

• object/cert_mtls.go — Core mTLS logic:

  • GetClientCertFromRequest() extracts client cert from Request.TLS.PeerCertificates or X-Client-Cert header (reverse proxy support)
  • GetApplicationByClientCert(clientId, cert) looks up application and validates cert against configured CA
  • verifyClientCertAgainstCACert() uses x509.Verify with proper chain/expiry/key-usage checks

• routers/auto_signin_filter.go — New mTLS auth path: when a TLS client cert is present with clientId (no clientSecret), authenticate via certificate validation against application.Cert

• controllers/token.go — ValidateOAuth now supports tls_client_auth (RFC 8705): client_id + client cert without client_secret triggers mTLS validation at the token endpoint

• object/cert_mtls_test.go — Tests for CA-signed certs, self-signed certs, wrong-CA rejection, invalid PEM, and expired cert rejection

Usage

A client authenticates by presenting a TLS client certificate and specifying only clientId:

GET /api/some-endpoint?clientId=<app_client_id>
# with TLS client certificate in the connection, or X-Client-Cert header via reverse proxy

At the token endpoint:

POST /api/login/oauth/access_token
  client_id=<app_client_id>&grant_type=authorization_code&code=<code>
# with TLS client certificate — no client_secret needed

The client certificate is validated against the application's configured Cert (CA certificate). Both CA-signed and self-signed certificate flows are supported.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.google.com
  • Triggering command: /usr/bin/curl curl www.google.com -o /dev/null --connect-timeout 5 r/runc-log.json 64/compile la/GTS_Root_R1.c/usr/local/go/pkg/tool/linux_amd64/vet y.crt _Root_CA_3.crt 64/compile rtif�� b94c5c0d3/diffma-errorsas b94c5c0d3/diffma-ifaceassert e -e s/,/_/g /usr/bin/grep sed (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add mTLS (Mutual TLS) Client Authentication Support for Enhanced Security</issue_title>
<issue_description>Why This Matters:

Currently, Casdoor supports client authentication methods like client_secret. However, these methods have limitations:

- Client secrets can be leaked, stolen, or exposed in transit.
- No built-in support for certificate-based client identity at the transport level.

Adding mTLS support would enable:

Strong cryptographic client authentication using X.509 certificates.
Certificate-bound access tokens (demonstrating proof-of-possession).
Compliance with financial-grade security requirements (FAPI).
Simplified security for service-to-service communication in Kubernetes and service mesh environments.
Integration with existing PKI infrastructure.

Proposed Implementation:

Add mTLS configuration options per OAuth client:
    Enable/disable mTLS requirement
    Allowed certificate issuer DNs or SAN entries
    Option to bind tokens to client certificates (TLS client certificate binding per RFC 8705)

Support OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705):
    tls_client_auth - Client authentication using X.509 certificate
    self_signed_tls_client_auth - For self-signed certificates

Implement certificate validation:
    Validate certificate chain
    Check certificate expiration
    Verify certificate against allowed issuers/CN/SAN

Add metadata indicators for OAuth clients supporting mTLS

Useful links:

• RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens</issue_description>

Comments on the Issue (you are @copilot in this section)

@hsluoyz can support application.Cert auth in AutoSigninFilter

• Fixes Add mTLS (Mutual TLS) Client Authentication Support for Enhanced Security #5077

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}