Stratiteq.Microservices.ClientCertAuth
1.0.0
Prefix Reserved
There is a newer version of this package available.
See the version list below for details.
See the version list below for details.
dotnet add package Stratiteq.Microservices.ClientCertAuth --version 1.0.0
NuGet\Install-Package Stratiteq.Microservices.ClientCertAuth -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Stratiteq.Microservices.ClientCertAuth" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add Stratiteq.Microservices.ClientCertAuth --version 1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: Stratiteq.Microservices.ClientCertAuth, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install Stratiteq.Microservices.ClientCertAuth as a Cake Addin #addin nuget:?package=Stratiteq.Microservices.ClientCertAuth&version=1.0.0 // Install Stratiteq.Microservices.ClientCertAuth as a Cake Tool #tool nuget:?package=Stratiteq.Microservices.ClientCertAuth&version=1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
Validates incoming client certificate, the .NET Core way.
Completely based on work by Barry Dorrans (https://idunno.org/) from https://github.com/blowdart/idunno.Authentication/tree/master/src/idunno.Authentication.Certificate. Some minor code comment fixes, and extracted the certificate bits only, as well as refactored out the X509Certificate helpers to separate nuget. Also added a default certificate validation service based on thumbprint matching.
Example Startup.cs code:
using System;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Stratiteq.Microservices.ClientCertAuth;
using Stratiteq.Microservices.Jwt;
using Stratiteq.Microservices.X509Certificate;
namespace My.WebApplication
{
public class Startup
{
public const string ClaimsIssuer = "https://mycompany.com";
public const string CertificateSubjectName = "ServiceA";
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
var certificate = CertificateFinder.FindBySubjectName(CertificateSubjectName, DateTime.UtcNow);
if (certificate == null)
{
throw new Exception($"Could not find the certificate with subject {CertificateSubjectName} in either the CurrentUser or LocalMachine store locations. Please install this certificate on target machine before trying to use it.");
}
services.AddSingleton<ICertificateValidationService, CertificateValidationService>(_ => new CertificateValidationService(new[] { certificate }));
services
.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options =>
{
options.ClaimsIssuer = ClaimsIssuer;
options.AllowedCertificateTypes = CertificateTypes.All;
options.Events = new CertificateAuthenticationEvents
{
OnValidateCertificate = context =>
{
var validationService = context.HttpContext.RequestServices.GetService<ICertificateValidationService>();
if (validationService.ValidateCertificate(context.ClientCertificate) == false)
{
context.Fail("Client certificate thumbprint didn't match any registered trusted certificates.");
return Task.CompletedTask;
}
// Create a ClaimsIdentiy based on the claims in the certificate. This code uses the CreateClaimsFromCertificate() helper method in the Stratiteq.Microservices.X509Certificate nuget.
// It also uses the GetJwtFromAuthorizationHeader() helper method from the Stratiteq.Microservices.Jwt nuget.
var token = context.Request.Headers.GetJwtFromAuthorizationHeader();
var certClaimsIdentity = new ClaimsIdentity(
context.ClientCertificate.CreateClaimsFromCertificate(context.Options.ClaimsIssuer),
CertificateAuthenticationDefaults.AuthenticationScheme);
// Optionally, if also doing authorization based on incoming jwt token, populate claims from jwt to the claims list in the .NET ClaimsPrincipal to hook up the Authorize-attribute and User.IsInRole etc.
// These helpers are in the Stratiteq.Microservices.Jwt nuget. Alternatively, just assign certClaimsIdentity to context.Principal directly.
context.Principal = string.IsNullOrEmpty(token) ?
new ClaimsPrincipal(certClaimsIdentity) :
new ClaimsPrincipal(new[]
{
new ClaimsIdentity(Claims.CreateFromJwt(token), JwtBearerDefaults.AuthenticationScheme),
certClaimsIdentity
});
context.Success();
return Task.CompletedTask;
}
};
});
// Strongly consider enforcing authorization globally for all endpoints in the API by using the following configuration:
services
.AddMvc(o =>
{
o.Filters.Add(
new AuthorizeFilter(
new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build()));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
services.AddAuthorization();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseCertificateHeaderForwarding();
app.UseAuthentication();
app.UseHttpsRedirection();
app.UseMvc();
}
}
}
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
| .NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
| .NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
| .NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
| MonoAndroid | monoandroid was computed. |
| MonoMac | monomac was computed. |
| MonoTouch | monotouch was computed. |
| Tizen | tizen40 was computed. tizen60 was computed. |
| Xamarin.iOS | xamarinios was computed. |
| Xamarin.Mac | xamarinmac was computed. |
| Xamarin.TVOS | xamarintvos was computed. |
| Xamarin.WatchOS | xamarinwatchos was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
.NETStandard 2.0
- Microsoft.AspNetCore.Authentication (>= 2.2.0)
- Stratiteq.Microservices.X509Certificate (>= 1.0.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.