SPIFFE mTLS (Mutual TLS)
Opening the network port via SPA is only half the battle. Phantom Grid strictly enforces Identity at the application layer using SPIFFE standards.
Workload Identity
Every service and authorized user in the Phantom Grid ecosystem is assigned a cryptographic identity in the form of a SPIFFE ID (e.g., spiffe://phantom.grid/service/backend-api).
Verification Process
- The client establishes a TLS connection to the Proxy.
- The Proxy requests the client's mTLS certificate.
- The Proxy extracts the
URI SAN(Subject Alternative Name) from the certificate. - If the SPIFFE ID is authorized to access the requested resource, the connection is proxied to the backend.
- If unauthorized or missing, the TLS handshake is aborted (
Alert: Bad Certificate).
