Thanks, need to make the docs less verbose in some places :-)
https://clace.io/docs/configuration/authentication/ lists the supported auth mechanisms for apps. A builtin system account is the default. The OAuth providers supported are : github google digitalocean bitbucket amazon azuread microsoftonline gitlab auth0 okta oidc. Any other provider supported by https://github.com/markbates/goth can be easily added, with a small code change.
For admin operations (creating/updating apps) using the client CLI, a unix domain socket is used. No other auth is used for UDS other than the file system level permissions. A REST API for admin operations can be optionally enabled, in which case it will use the system account https://clace.io/docs/configuration/security/#admin-api-acce....
Client cert based auth is not supported currently. Were you wanting that for app access or for admin API access?
In terms of performance, I did some testing few months back. The app access API does not hit the database (sqlite), everything is cached after the first call. So the performance will be limited by the API performance of the downstream container. The Clace server itself should not be a bottleneck. First API call to a containerized app builds the image and starts the container. That depends on how fast the image build and container startup are.
The client cert based auth would be for the app access.
Our use-case is review apps, i.e. <some-feature>.example.com should only be accessible by users with a valid client cert. Currently we use Caddy, but I'd like to give clace a shot for this. :)
Two questions:
1. Do you support client certificates for authenticating clients? 2. Do you have some performance benchmarks?