具有客户端证书身份验证的.Net Core Web API [英] .Net Core Web API with Client Certificate Authentication
问题描述
我已经在.Net Core 2.1中开发了一个简单的WEB API服务
我正在尝试实现客户端证书身份验证,因此我只能向在其计算机上安装了特定证书的客户端授予对API的访问权限.
客户端使用浏览器(Chrome,Edge,IE11或Firefox)访问API.
我已经在API方法中添加了对证书的请求:
[HttpGet]
public ActionResult<IEnumerable<string>> Get()
{
X509Certificate2 cert = Request.HttpContext.Connection.ClientCertificate;
if (cert!=null && cert.Verify())
{
//more verification here...
return Content("....", "application/json");
}
else
{
return Content("....", "application/json");
}
}
然后,我安装了自签名证书,并将其添加到受信任的根"中,以实现客户端身份验证目的.
,但是变量 cert 始终为null,并且在我请求页面时浏览器甚至没有提示我使用证书.
我想是因为我必须在某个地方设置Web服务器必须要求客户端证书,因为它可以在IIS中进行设置,但是在我的开发环境中,我使用的是IIS Express.
如何强制IIS Express请求客户端证书?
要使用ASP.NET Core身份验证堆栈进行正确的证书身份验证,您还可以签出 Barry Dorrans >他自己.它允许您为应用程序启用证书身份验证,并像处理其他任何身份验证方案一样处理它,因此您可以将实际的基于证书的逻辑排除在业务逻辑之外.
该项目包含一个证书身份验证的实现.NET Core.证书身份验证发生在TLS级别,远远早于进入ASP.NET Core的时间,因此,更准确地说,这是一个身份验证处理程序,它可以验证证书,然后为您提供一个事件,您可以在其中将证书解析为ClaimsPrincipal.
您必须配置您的主机进行证书身份验证,可以是IIS,Kestrel,Azure Web应用程序,也可以是您使用的其他任何版本.
确保还检查文档" ,了解如何正确设置此设置,因为它需要 then I've installed a self-signed certificate and added to the Trusted Root, enabling the Client Authentication purpose. but the variable cert is always null and the browser didn't even prompt me to use a certificate when I request the page. I suppose because I have to set somewhere that the web server must ask for the client certificate as it is possible to set in IIS, but in my development environment, I'm using IIS Express. How can I force IIS express to request a client certificate? For proper certificate authentication using the ASP.NET Core authentication stack, you can also check out idunno.Authentication.Certificate by Barry Dorrans himself. It allows you to enable certificate authentication for your application and handles it like any other authentication scheme, so you can keep actual certificate-based logic out of your business logic. This project sort of contains an implementation of Certificate Authentication for ASP.NET Core. Certificate authentication happens at the TLS level, long before it ever gets to ASP.NET Core, so, more accurately this is an authentication handler that validates the certificate and then gives you an event where you can resolve that certificate to a ClaimsPrincipal. You must configure your host for certificate authentication, be it IIS, Kestrel, Azure Web Applications or whatever else you're using. Make sure to also check out the "documentation" on how to set this up properly, since it requires configuration of the host to work properly, just like you did with IIS Express. Instructions for other servers like raw Kestrel, IIS, Azure or general reverse proxies are included. 这篇关于具有客户端证书身份验证的.Net Core Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
