Aspnetcore: Add support for X509 client certificate "authentication"

Created on 16 Dec 2017  路  12Comments  路  Source: dotnet/aspnetcore

It's important for a number of enterprise and financial API / OAuth scenarios.

@blowdart already has 85% of it done - please include that in ASP.NET itself.

Done area-security enhancement
Source
picture leastprivilege
👍10

Most helpful comment

Client certificates are a commonly used way to authenticate gRPC service clients. We'll be interested in using this middleware in our documentation and tutorials.

picture JamesNK on 25 Apr 2019
👍4 🚀2

All 12 comments

We've moved this issue is in the Backlog milestone. This means that it is not going to happen for the coming release. We will re-assess the backlog following the current release and consider this item at that time. However, keep in mind that there are many other high priority features with which it will be competing for resources.

Eilon picture Eilon on 11 Jan 2018

I am also looking for this handler. Thanks

dmositecore picture dmositecore on 4 Sep 2018

@Eilon I'm putting this into 3.0, it shouldn't take that much time, I already have tests, we'd just need to do the reassignment, because this was done out of work hours.

blowdart picture blowdart on 25 Sep 2018
👍6

@blowdart - do you already have a sample of this somewhere? We're concerned this might be a big cost to bring up to production, including testing. We can discuss more when you're back.

Eilon picture Eilon on 13 Dec 2018

Who is "we" in this case? Damian allowed approved it.

It's be a matter of moving https://github.com/blowdart/idunno.Authentication/tree/master/src/idunno.Authentication.Certificate and testing some more

blowdart picture blowdart on 14 Dec 2018
👍1

Thanks for the link. When you're back let's discuss exactly what needs to be done in terms of test coverage.

Eilon picture Eilon on 14 Dec 2018

I have written a Client Cert Middleware too
https://github.com/xavierjohn/ClientCertificateMiddleware

basically maps certs to Roles using configuration settings, example json setting.

  "AuthorizedCertficatesAndRoles": {
    "CertificateAndRoles": [
      {
        "Subject": "CN=http://user.mylocalmachine",
        "Issuer": "CN=http://user.mylocalmachine",
        "Roles": [ "User" ]
      },
      {
        "Subject": "CN=http://admin.mylocalmachine",
        "Issuer": "CN=http://admin.mylocalmachine",
        "Roles": [ "Admin" ]
      }
    ]
  }
xavierjohn picture xavierjohn on 10 Jan 2019

@HaoK said he should be able to take a look at this since @Tratcher is deep in Kerberos land now ;). It's in preview 5 right now, but it can certainly be moved (fyi @ajcvickers @Eilon).

Also, we should support the X-ARR-ClientCert header that forwards the client certificate from the ARR front-end (i.e. in Azure App Service). I believe @blowdart 's component supports this, just adding it to the test matrix.

anurse picture anurse on 11 Apr 2019
👍5

Note if we support X-ARR-ClientCert it should be in ForwardedHeaders, not directly in the cert auth handler.

Tratcher picture Tratcher on 11 Apr 2019
👍3

@HaoK , I believe this is on your plate now?

Eilon picture Eilon on 11 Apr 2019

Client certificates are a commonly used way to authenticate gRPC service clients. We'll be interested in using this middleware in our documentation and tutorials.

JamesNK picture JamesNK on 25 Apr 2019
👍4 🚀2

https://github.com/aspnet/AspNetCore/pull/9756

HaoK picture HaoK on 1 Jun 2019
🎉2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

BrennanConroy picture BrennanConroy  路  3Comments
snebjorn picture snebjorn  路  3Comments
rbanks54 picture rbanks54  路  3Comments
ipinak picture ipinak  路  3Comments
mj1856 picture mj1856  路  3Comments