Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
Welcome To Ask or Share your Answers For Others

Categories

I'm trying to implement client certificate authentication with ASP.NET and IdentityServer4, but can't seem to make it work. Through Postman I get "Error: invalid_client", in debug console "Client secret validation failed for client: ISCCA.". I'm running the application with Kestrel on localhost.

Based on documentation and examples i've been through, this is my result so far:

Kestrel configuration:

webBuilder.ConfigureKestrel(builderOptions => {
    builderOptions.ConfigureHttpsDefaults(httpOptions => {
        httpOptions.AllowAnyClientCertificate();
        httpOptions.ClientCertificateMode = ClientCertificateMode.AllowCertificate;
        httpOptions.CheckCertificateRevocation = false;
    });
});

Identity server configuration with in memory clients, resources and scopes:

services
.AddIdentityServer(options => {
    // MTLS for client certificate authentication endpoints with default scheme set as Certificate
    options.MutualTls.Enabled = true;
    options.MutualTls.ClientCertificateAuthenticationScheme = CertificateAuthenticationDefaults.AuthenticationScheme;
    
    // Use subdomain endpoints (mtls.host)
    options.MutualTls.DomainName = "mtls";
})
.AddMutualTlsSecretValidators()                         // So that Identity Server knows to validate thumbprint or certificate name
.AddDeveloperSigningCredential()
.AddInMemoryApiResources(new List<ApiResource> {
    new ApiResource(
        name: "MyAPI",                                  // Api resource name
        displayName: "My API Set",                      // Display name
        userClaims: new List<string> { "access" }       // Claims to be included in access token
    )
})
.AddInMemoryIdentityResources(GetIdentityResources())   // Contains only IdentityResources.OpenId()
.AddInMemoryClients(new List<Client>() {
    new Client {
        Enabled = true,
        ClientId = "ISCCA",
        ClientSecrets = {
            // Testing env client certificate thumbprint secret
            new Secret() {
                Value = "<thumbprint>",
                Type = SecretTypes.X509CertificateThumbprint
            }
        },
        AccessTokenLifetime = 60 * 60 * 24,
        AllowedGrantTypes = GrantTypes.ClientCredentials,
        AllowedScopes = { "MyAPI" }
    }
})
.AddInMemoryApiScopes(new List<ApiScope> {
    new ApiScope {
        Name = "MyAPI",
        DisplayName = "Some API",
        UserClaims = { "access" }
    }
});

Authentication and authorization:

services
.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options => {
    options.AllowedCertificateTypes = CertificateTypes.All;
    options.RevocationMode = X509RevocationMode.NoCheck;
})
.AddIdentityServerJwt();

services.AddAuthorization(options => {
    options.AddPolicy("ApiScope", policy => {
        policy.RequireAuthenticatedUser();
        policy.RequireClaim("access");
    });
});

If i use a secret without defined type, the token is returned as expected, but when i want it to use the thumbprint, i get errors above.

I have set up the certificate in Postman and it is included in request, but i'm not sure if it comes to the server (everything is run localy on the same PC). As for token request and server response, below are screenshots of what is in auth header and response and Kestrel log:

Auth Header

Response

Log

I don't know what i did wrong. Also i have included

app.UseAuthentication();
app.UseIdentityServer();
app.UseAuthorization();

in Configure method.

question from:https://stackoverflow.com/questions/65952365/identity-server-4-asp-net-certificate-authentication

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
1.1k views
Welcome To Ask or Share your Answers For Others

1 Answer

Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
...