0

I have an ASP.NET Core 7 MVC web application that has full user authentication, but also has a couple of API endpoints. A need has arisen for us to allow authentication on those endpoints using client certificates, instead of username/password. Is this possible?

I can see lots of documentation on switching on client certificates in IIS, and even turning off certificates for some endpoints, but I need to opposite: I need to turn them on for some endpoints, and leave all the others clear.

In the past I have used optional certificates, but the browser still prompt the user for a certificate, and we don't want that.

Ideally, I'd like something simple that just lets me check the client certificate on calls to the specific endpoints, and no-where else?

Am I asking the impossible? Do I need to create a new web app, with client certificates turned on, to service these endpoints?

1 Answer 1

Reset to default
0

You could use this below code to secure your specific api call with client certificate authentication:

Program.cs:

using Microsoft.AspNetCore.Authentication.Certificate;
using System.Security.Cryptography.X509Certificates;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddControllersWithViews();

builder.Services.AddAuthentication("Certificate")
    .AddCertificate(options =>
    {
        options.AllowedCertificateTypes = CertificateTypes.SelfSigned; // Adjust as necessary
        options.RevocationMode = X509RevocationMode.NoCheck;
        options.Events = new CertificateAuthenticationEvents
        {
            OnCertificateValidated = context =>
            {
                // Custom validation logic here, if needed
                context.Success();
                return Task.CompletedTask;
            }
        };
    });

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("ClientCertificatePolicy", policy =>
    {
        policy.AddAuthenticationSchemes("Certificate");
        policy.RequireAuthenticatedUser();
    });
});



var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Home/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
});



app.MapControllerRoute(
    name: "default",
    pattern: "{controller=Home}/{action=Index}/{id?}");

app.Run();

Controller:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace ClientCertApp.Controllers
{
    [ApiController]
    [Route("api/[controller]")]
    [Authorize(Policy = "ClientCertificatePolicy")]
    public class SecureApiController : ControllerBase
    {
        [HttpGet("data")]
        public IActionResult GetData()
        {
            return Ok(new { Message = "This endpoint is protected by client certificate authentication." });
        }
    }

}

Not the answer you're looking for? Browse other questions tagged or ask your own question.