Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

postman - Identity Server 4 ASP.NET certificate authentication

I'm trying to implement client certificate authentication with ASP.NET and IdentityServer4, but can't seem to make it work. Through Postman I get "Error: invalid_client", in debug console "Client secret validation failed for client: ISCCA.". I'm running the application with Kestrel on localhost.

Based on documentation and examples i've been through, this is my result so far:

Kestrel configuration:

webBuilder.ConfigureKestrel(builderOptions => {
    builderOptions.ConfigureHttpsDefaults(httpOptions => {
        httpOptions.AllowAnyClientCertificate();
        httpOptions.ClientCertificateMode = ClientCertificateMode.AllowCertificate;
        httpOptions.CheckCertificateRevocation = false;
    });
});

Identity server configuration with in memory clients, resources and scopes:

services
.AddIdentityServer(options => {
    // MTLS for client certificate authentication endpoints with default scheme set as Certificate
    options.MutualTls.Enabled = true;
    options.MutualTls.ClientCertificateAuthenticationScheme = CertificateAuthenticationDefaults.AuthenticationScheme;
    
    // Use subdomain endpoints (mtls.host)
    options.MutualTls.DomainName = "mtls";
})
.AddMutualTlsSecretValidators()                         // So that Identity Server knows to validate thumbprint or certificate name
.AddDeveloperSigningCredential()
.AddInMemoryApiResources(new List<ApiResource> {
    new ApiResource(
        name: "MyAPI",                                  // Api resource name
        displayName: "My API Set",                      // Display name
        userClaims: new List<string> { "access" }       // Claims to be included in access token
    )
})
.AddInMemoryIdentityResources(GetIdentityResources())   // Contains only IdentityResources.OpenId()
.AddInMemoryClients(new List<Client>() {
    new Client {
        Enabled = true,
        ClientId = "ISCCA",
        ClientSecrets = {
            // Testing env client certificate thumbprint secret
            new Secret() {
                Value = "<thumbprint>",
                Type = SecretTypes.X509CertificateThumbprint
            }
        },
        AccessTokenLifetime = 60 * 60 * 24,
        AllowedGrantTypes = GrantTypes.ClientCredentials,
        AllowedScopes = { "MyAPI" }
    }
})
.AddInMemoryApiScopes(new List<ApiScope> {
    new ApiScope {
        Name = "MyAPI",
        DisplayName = "Some API",
        UserClaims = { "access" }
    }
});

Authentication and authorization:

services
.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options => {
    options.AllowedCertificateTypes = CertificateTypes.All;
    options.RevocationMode = X509RevocationMode.NoCheck;
})
.AddIdentityServerJwt();

services.AddAuthorization(options => {
    options.AddPolicy("ApiScope", policy => {
        policy.RequireAuthenticatedUser();
        policy.RequireClaim("access");
    });
});

If i use a secret without defined type, the token is returned as expected, but when i want it to use the thumbprint, i get errors above.

I have set up the certificate in Postman and it is included in request, but i'm not sure if it comes to the server (everything is run localy on the same PC). As for token request and server response, below are screenshots of what is in auth header and response and Kestrel log:

Auth Header

Response

Log

I don't know what i did wrong. Also i have included

app.UseAuthentication();
app.UseIdentityServer();
app.UseAuthorization();

in Configure method.

question from:https://stackoverflow.com/questions/65952365/identity-server-4-asp-net-certificate-authentication

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...