I got it working
First create proper certificate usig powershell ( run as administrator)
Step 1: to use with IDS4 server - need to register DNS localhost and mtls.localhost
New-SelfSignedCertificate -Subject "CN=localhost" -DnsName "localhost", "mtls.localhost" -CertStoreLocation cert:CurrentUserMy -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "AAABBBIds4mtls test" -NotAfter (Get-Date).AddYears(1)
it's SelfSigned so copy and paste ( using Windows certmgr.exe) to 'trusted root certification authorities'
Step 2: create certificate for Client
$cert = New-SelfSignedCertificate -Subject "CN=aaabbb" -DnsName "localhost" -CertStoreLocation cert:CurrentUserMy -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "aaabbb20210125" -NotAfter (Get-Date).AddYears(1)
$cred = Get-Credential
Export-PfxCertificate -Cert $cert -Password $cred.Password -FilePath "./aaabbb20210125.pfx"
then I use Client code from Scoot Braddy sample Scott Brady blog
to check how it works with Microsoft.AspNetCore.Authentication.Certificate
next you need setup your IdentityServer4 project hosted on Kestrel
Program.cs
BuildWebHost(args).Run();
.......
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseSerilog()
.UseStartup<Startup>()
.UseKestrel(options =>
{
options.Listen(IPAddress.Loopback, 5001, listenOptions =>
{
listenOptions.UseHttps(new HttpsConnectionAdapterOptions
{
ServerCertificate = **get cert from step 1**
from file or windows cert store ///X509.GetCertificate("a9dfaac956575d850f718dde03c9e86a6eb15984", StoreLocation.CurrentUser)
,///RequireCertificate is important switch it off -to get error with client mtls validation
ClientCertificateMode = ClientCertificateMode.RequireCertificate ,
ClientCertificateValidation = CertificateValidator.DisableChannelValidation
});
});
options.Listen(IPAddress.Loopback, 5000);
})
.Build();
Check you have added nuget package Microsoft.AspNetCore.Authentication.Certificate
Startup.cs
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseSuccessEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.EmitScopesAsSpaceDelimitedStringInJwt = true;
options.MutualTls.Enabled = true;
options.MutualTls.DomainName = "mtls";
options.MutualTls.ClientCertificateAuthenticationScheme = "Certificate";
//options.MutualTls.AlwaysEmitConfirmationClaim = true;
})
.AddInMemoryApiScopes(Configuration.GetApiScopes())
.AddInMemoryApiResources(Configuration.GetApiResources())
.AddInMemoryIdentityResources(Configuration.GetIdentityResources())
.AddInMemoryClients(Configuration.GetClients())
.AddMutualTlsSecretValidators()
.AddSigningCredential(X509.GetCertificate("88D603D7F65B07109E4D0FFBECCCD70881F902F8", StoreLocation.CurrentUser));//add your certificate
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options =>
{
options.AllowedCertificateTypes = CertificateTypes.All; //selfsigned too
options.RevocationMode = X509RevocationMode.NoCheck;//for development/testing
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated = context =>
{
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, context.ClientCertificate.Subject, ClaimValueTypes.String, context.Options.ClaimsIssuer),
new Claim(ClaimTypes.Name, context.ClientCertificate.Subject, ClaimValueTypes.String, context.Options.ClaimsIssuer)
};
context.Principal = new ClaimsPrincipal(new ClaimsIdentity(claims, context.Scheme.Name));
context.Success();
return Task.CompletedTask;
}
};
});
Setup mtlsclient mtlsclient
....
static async Task<TokenResponse> RequestTokenAsync()
{
var client = new HttpClient(GetHandler());
var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001"); "https://identityserver.local");
............
static SocketsHttpHandler GetHandler()
{
var handler = new SocketsHttpHandler();
var cert = new X509Certificate2("client.p12", "changeit");///**get cert from step 2**
handler.SslOptions.ClientCertificates = new X509CertificateCollection { cert };
return handler;
}
setup your host file
C:WindowsSystem32driversetc
# To allow the MTLS for identityServer4
127.0.0.1 mtls.localhost
127.0.0.1 identityserver.local
# End of section
and finally at the end run IDS4 ,run mtlsclient
[19:36:48 Debug] IdentityServer4.Endpoints.TokenEndpoint
Start token request.
[19:36:48 Debug] IdentityServer4.Validation.ClientSecretValidator
Start client validation
[19:36:48 Debug] IdentityServer4.Validation.BasicAuthenticationSecretParser
Start parsing Basic Authentication secret
[19:36:48 Debug] IdentityServer4.Validation.PostBodySecretParser
Start parsing for secret in post body
[19:36:48 Debug] IdentityServer4.Validation.PostBodySecretParser
client id without secret found
[19:36:48 Debug] IdentityServer4.Validation.ISecretsListParser
Parser found secret: PostBodySecretParser
[19:36:48 Debug] IdentityServer4.Validation.MutualTlsSecretParser
Start parsing for client id in post body
[19:36:48 Debug] IdentityServer4.Validation.ISecretsListParser
Parser found secret: MutualTlsSecretParser
[19:36:48 Debug] IdentityServer4.Validation.ISecretsListParser
Secret id found: mtls
[19:36:48 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client mtls succeeded.
[19:36:48 Debug] IdentityServer4.Validation.HashedSharedSecretValidator
Hashed shared secret validator cannot process X509Certificate
[19:36:48 Debug] IdentityServer4.Validation.ISecretsListValidator
Secret validator success: X509ThumbprintSecretValidator
[19:36:48 Debug] IdentityServer4.Validation.ClientSecretValidator
Client validation success
[19:36:48 Information] IdentityServer4.Events.DefaultEventService
{"ClientId": "mtls", "AuthenticationMethod": "X509Certificate", "Category": "Authentication", "Name": "Client Authentication Success", "EventType": "Success", "Id": 1010, "Message": null, "ActivityId": "0HM62U8QNJK8Q:00000001", "TimeStamp": "2021-01-27T18:36:48.0000000Z", "ProcessId": 27900, "LocalIpAddress": "127.0.0.1:5001", "RemoteIpAddress": "127.0.0.1", "$type": "ClientAuthenticationSuccessEvent"}
[19:36:48 Debug] IdentityServer4.Validation.TokenRequestValidator
Start token request validation
[19:36:48 Debug] IdentityServer4.Validation.TokenRequestValidator
Start client credentials token request validation
[19:36:48 Debug] IdentityServer4.Validation.TokenRequestValidator
mtls credentials token request validation success
[19:36:48 Information] IdentityServer4.Validation.TokenRequestValidator
Token request validation success, {"ClientId": "mtls", "ClientName": null, "GrantType": "client_credentials", "Scopes": "AconsApi ApiTwo", "AuthorizationCode": "********", "RefreshToken": "********", "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "AconsApi ApiTwo", "client_id": "mtls"}, "$type": "TokenRequestValidationLog"}
[19:36:48 Debug] IdentityServer4.Services.DefaultClaimsService
Getting claims for access token for client: mtls
[19:36:49 Information] IdentityServer4.Events.DefaultEventService
{"ClientId": "mtls", "ClientName": null, "RedirectUri": null, "Endpoint": "Token", "SubjectId": null, "Scopes": "AconsApi ApiTwo", "GrantType": "client_credentials", "Tokens": [{"TokenType": "access_token", "TokenValue": "****hTTg", "$type": "Token"}], "Category": "Token", "Name": "Token Issued Success", "EventType": "Success", "Id": 2000, "Message": null, "ActivityId": "0HM62U8QNJK8Q:00000001", "TimeStamp": "2021-01-27T18:36:49.0000000Z", "ProcessId": 27900, "LocalIpAddress": "127.0.0.1:5001", "RemoteIpAddress": "127.0.0.1", "$type": "TokenIssuedSuccessEvent"}
[19:36:49 Debug] IdentityServer4.Endpoints.TokenEndpoint
Token request success.
MTLS Client
Access Token (decoded):
{
"alg": "RS256",
"kid": "88D603D7F65B07109E4D0FFBECCCD70881F902F8RS256",
"typ": "at+jwt",
"x5t": "iNYD1_ZbBxCeTQ_77MzXCIH5Avg"
}
{
"nbf": 1611772608,
"exp": 1611776208,
"iss": "https://localhost:5001",
"aud": [
"Api",
"ApiTwo"
],
"client_id": "mtls",
"jti": "447F97582B1C1ADDABB237B7E36C4F32",
"iat": 1611772608,
"scope": "AconsApi ApiTwo",
"cnf": {
"x5t#S256": "1F9sG7CCC77SL9LI9edhus9Ga8AKJgfE5eraKvrv438"
}
}
summary
- 1.setup ...etshosts
- 2.prepare certificates step1 step2 (makecert.exe does not work with SAN( Subject Alternative Names) )
- 3.setup IDS4 Program.cs Startup.cs
- 4.use mtlsclient certificate from step2