The TLS Metadata Header plugin detects client certificates in requests, extracts the TLS metadata (such as the URL-encoded client certificate), and injects this metadata into HTTP headers. It does not validate client certificates.
Here are some use cases where the TLS Metadata Header plugin can be helpful:
- Pass TLS client certificate metadata to an upstream service, enabling it to perform validation of the proxied certificate
- Use the extracted metadata to route requests differently based on the client’s certificate metadata (for example, different routes for different departments or services)
- Enforce access control based on certain attributes of the client certificate, like the client’s organization (extracted from the certificate’s subject DN)
- Log or audit extracted metadata from client certificates
Important: This plugin must be used in conjunction with another plugin that requests a client certificate, such as the mTLS Authentication or TLS Handshake Modifier plugins.