Skip to content

Add support for X509 client certificate "authentication" #4663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
leastprivilege opened this issue Dec 16, 2017 · 12 comments
Closed

Add support for X509 client certificate "authentication" #4663

leastprivilege opened this issue Dec 16, 2017 · 12 comments
Assignees
@HaoK
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer Done This issue has been fixed enhancement This issue represents an ask for new feature or an enhancement to an existing one
Milestone
3.0.0-preview6

Comments

@leastprivilege
Copy link
Contributor

It's important for a number of enterprise and financial API / OAuth scenarios.

@blowdart already has 85% of it done - please include that in ASP.NET itself.
@Eilon
Copy link
Contributor

Eilon commented Jan 11, 2018

We've moved this issue is in the Backlog milestone. This means that it is not going to happen for the coming release. We will re-assess the backlog following the current release and consider this item at that time. However, keep in mind that there are many other high priority features with which it will be competing for resources.

@dmositecore
Copy link

I am also looking for this handler. Thanks

@blowdart
Copy link
Contributor

@Eilon I'm putting this into 3.0, it shouldn't take that much time, I already have tests, we'd just need to do the reassignment, because this was done out of work hours.

@aspnet-hello aspnet-hello transferred this issue from aspnet/Security Dec 13, 2018
@aspnet-hello aspnet-hello added this to the 3.0.0-preview2 milestone Dec 13, 2018
@aspnet-hello aspnet-hello added area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer enhancement This issue represents an ask for new feature or an enhancement to an existing one labels Dec 13, 2018
@Eilon
Copy link
Contributor

Eilon commented Dec 13, 2018

@blowdart - do you already have a sample of this somewhere? We're concerned this might be a big cost to bring up to production, including testing. We can discuss more when you're back.

@blowdart
Copy link
Contributor

Who is "we" in this case? Damian allowed approved it.

It's be a matter of moving https://github.com/blowdart/idunno.Authentication/tree/master/src/idunno.Authentication.Certificate and testing some more

@Eilon
Copy link
Contributor

Eilon commented Dec 14, 2018

Thanks for the link. When you're back let's discuss exactly what needs to be done in terms of test coverage.

@Eilon Eilon modified the milestones: 3.0.0-preview2, 3.0.0-preview3 Dec 20, 2018
@xavierjohn
Copy link

I have written a Client Cert Middleware too
https://github.com/xavierjohn/ClientCertificateMiddleware

basically maps certs to Roles using configuration settings, example json setting.

  "AuthorizedCertficatesAndRoles": {
    "CertificateAndRoles": [
      {
        "Subject": "CN=http://user.mylocalmachine",
        "Issuer": "CN=http://user.mylocalmachine",
        "Roles": [ "User" ]
      },
      {
        "Subject": "CN=http://admin.mylocalmachine",
        "Issuer": "CN=http://admin.mylocalmachine",
        "Roles": [ "Admin" ]
      }
    ]
  }

@Eilon Eilon modified the milestones: 3.0.0-preview3, 3.0.0-preview4 Feb 7, 2019
@Eilon Eilon modified the milestones: 3.0.0-preview4, 3.0.0-preview5 Mar 26, 2019
@analogrelay
Copy link
Contributor

@HaoK said he should be able to take a look at this since @Tratcher is deep in Kerberos land now ;). It's in preview 5 right now, but it can certainly be moved (fyi @ajcvickers @Eilon).

Also, we should support the X-ARR-ClientCert header that forwards the client certificate from the ARR front-end (i.e. in Azure App Service). I believe @blowdart 's component supports this, just adding it to the test matrix.

@analogrelay analogrelay mentioned this issue Apr 10, 2019
Closed
@Tratcher
Copy link
Member

Note if we support X-ARR-ClientCert it should be in ForwardedHeaders, not directly in the cert auth handler.

@Eilon
Copy link
Contributor

Eilon commented Apr 11, 2019

@HaoK , I believe this is on your plate now?

@HaoK HaoK modified the milestones: 3.0.0-preview5, 3.0.0-preview6 Apr 18, 2019
@blowdart blowdart mentioned this issue Apr 24, 2019
Closed
@JamesNK JamesNK mentioned this issue Apr 25, 2019
Closed
@JamesNK
Copy link
Member

JamesNK commented Apr 25, 2019

Client certificates are a commonly used way to authenticate gRPC service clients. We'll be interested in using this middleware in our documentation and tutorials.

@mkArtakMSFT mkArtakMSFT mentioned this issue May 17, 2019
Open
@HaoK
Copy link
Member

HaoK commented Jun 1, 2019

#9756

@HaoK HaoK closed this as completed Jun 1, 2019
@HaoK HaoK added the Done This issue has been fixed label Jun 1, 2019
@ghost ghost locked as resolved and limited conversation to collaborators Dec 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@HaoK HaoK

Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer Done This issue has been fixed enhancement This issue represents an ask for new feature or an enhancement to an existing one
Projects
None yet
Milestone
3.0.0-preview6
Development

No branches or pull requests
10 participants
@analogrelay @Eilon @JamesNK @blowdart @leastprivilege @Tratcher @xavierjohn @dmositecore @HaoK @aspnet-hello