I have an ASP.NET Core 7 MVC web application that has full user authentication, but also has a couple of API endpoints. A need has arisen for us to allow authentication on those endpoints using client certificates, instead of username/password. Is this possible?
I can see lots of documentation on switching on client certificates in IIS, and even turning off certificates for some endpoints, but I need to opposite: I need to turn them on for some endpoints, and leave all the others clear.
In the past I have used optional certificates, but the browser still prompt the user for a certificate, and we don't want that.
Ideally, I'd like something simple that just lets me check the client certificate on calls to the specific endpoints, and no-where else?
Am I asking the impossible? Do I need to create a new web app, with client certificates turned on, to service these endpoints?