[Feature]: Support mTLS / Client TLS Certificates in Mobile App #1611
Replies: 15 comments 44 replies
-
Why not just authorize by username and password? Then you can remember or use a password manager. A long password gives just enough of protection. The mutual TLS in practice never worked. It looks similar to ssh keys but lacks of all infrastructure and tools. There is no any reason to use it and that's why it's not supported anywhere. |
Beta Was this translation helpful? Give feedback.
-
I think it is unlikely that we will add support for this to Immich. A VPN allows for the same level of protections, while working seamlessly without any application changes. |
Beta Was this translation helpful? Give feedback.
-
is it possible to make it like |
Beta Was this translation helpful? Give feedback.
-
@JabobKrauskopf thanks for bringing this, I just started on immich and my all personal hosting is based on client certificate. So no support for this will be a no go. |
Beta Was this translation helpful? Give feedback.
-
I would like to see mTLS supported in the app too |
Beta Was this translation helpful? Give feedback.
-
I concur that supporting client certificates would greatly enhance the security options in Immich. |
Beta Was this translation helpful? Give feedback.
-
Hey, consider a scenario where you put your server behind cloudflare and enable mtls there. It limits the surface of attack for immich as a valid client cert is required to get to immich api. It's a common use case for home assistant owners. |
Beta Was this translation helpful? Give feedback.
-
It also does seem risky to me to run an in-development thing like this without an additional layer of protection, like what either this (using client certificates) or e.g. custom headers using Cloudflare Access/Zero Trust allows (#1305). |
Beta Was this translation helpful? Give feedback.
-
Why is the Diskussion closed? |
Beta Was this translation helpful? Give feedback.
-
Can we please reopen this issue? I think there ist a real benefit to help improve security when the app could provide client certificates to the server. |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
I;d like to sponsor this specifically, is that possible? As I understand, https://immich.app/blog/2024/immich-core-team-goes-fulltime#i-am-currently-supporting-immich-through-github-sponsors-what-will-happen-to-my-donation there is no sponsoring available at the moment? edit: Librepay it is: https://liberapay.com/alex.tran1502/ |
Beta Was this translation helpful? Give feedback.
-
Nextcloud just added this feature and will be available in the next release. With Nextcloud memories plugin, it can achieve most of Immich functions except for AI. I do not understand why Immich refuse to implement this feature. There are high demand for this feature. If user name and password is safe enough, why do we need 2FA. Adding more security choice is good especially for this intensive developments project. |
Beta Was this translation helpful? Give feedback.
-
I want to let you guys know that this is a welcome feature if you guys can help integrate it into the app. It is just not the priority of the core team to work on at the moment. FWIW, we just merged customer header support for the mobile app in #10588 |
Beta Was this translation helpful? Give feedback.
-
I created a PR #10860 for this feature. The PR is being review and hopefully can be approved |
Beta Was this translation helpful? Give feedback.
-
Feature detail
Background
I would like to access my instance of Immich from outside my network. However, the only option I have without exposing it to the internet is to use a VPN, which I would like to avoid. Configuring my reverse-proxy to require mutual TLS / client certificates could reduce the risk of exposing Immich by adding an extra layer of protection.
Proposal
Ideally, the Immich app could access the iOS / Android keychain and use a client certificate that is installed system-wide for any requests to the Immich server.
Problem
After taking a stab at implementing this feature on Android by accessing the native keychain, I ran into the following issue. The Dart HTTP Client supports client certificates by configuring a
SecurityContext
object withuseCertificateChainBytes()
andusePrivateKeyBytes()
. However, these methods require the actual contents of the private key, but the AndroidKeyChain.getPrivateKey()
API only returns an opaque key. The built-in Dart HTTP client does not seem to support this (see dart-lang/sdk#50669 (comment)).Apps like HomeAssistant support client certificates because the OkHttp library seems to use native Android APIs (see home-assistant/android#2526).
Solutions
One solution would be to have some kind of advanced options section on the login screen where a user uploads a client certificate. However, this would be less than ideal since we would bypass the system keystore which already provides this functionality.
Another option that might be worth exploring is a custom header that contains a secret token which is sent with every request. Maybe something like this: #1305
I would appreciate any insights/help on how one might approach implementing mutual TLS.
Platform
Mobile App
Beta Was this translation helpful? Give feedback.
All reactions