> Failure leads to weird redirects for which you can't really fall back to a login prompt because the auth happens on TLS level and a token in HTTP can't replace that.
That's not true. nginx, for example, let's you return a custom response, which can easily be a 302 to the login page.
But I agree with all other points. On a sidenote, there's also the great option of using a CA for your client certificates while still using a normal CA for your https certificate - you don't have the worry of installing a root certificate on all clients and still have a nice, valid https connection in the browser. Unfortunately, hardly any tutorials pointed this out and used their own CA for everything instead.
> Unfortunately, hardly any tutorials pointed this out and used their own CA for everything instead.
I think this is one of the reasons so few people consider using TLS auth. There aren't many guides out there, and many of the ones that are easily accessible use a custom CA deployment that's an absolute pain to manage (custom TLS certs on websites with a custom ACME server or manual certificate generation, and so on).
Sometimes I feel like writing my own guide, but I'm not 100% confident that I'd get everything right.
I’ve been in this boat and have documented weird bugs and things that don’t work, but yet to write something about a working configuration.
I wanted to use mTLS for self hosted services and it took a while to come up with something that worked well in browsers, but apps on iOS and Android basically can’t use the certs making it fruitless.
That's not true. nginx, for example, let's you return a custom response, which can easily be a 302 to the login page.
But I agree with all other points. On a sidenote, there's also the great option of using a CA for your client certificates while still using a normal CA for your https certificate - you don't have the worry of installing a root certificate on all clients and still have a nice, valid https connection in the browser. Unfortunately, hardly any tutorials pointed this out and used their own CA for everything instead.