SSL Certificate authentication in ASP.NET Core

Have you ever wondered, even though you added a certificate to HttpClient while accessing data from the Api service, why you are getting unAuthorized access or your Api is not working as expected?
Answer to the above question is that the certificate exchange is done at the start of the HTTPS conversation, it's done by the server before the first request is received on that connection. So the right place to add a certificate to HttpClient is the Program.cs or StartUp.cs file.

Microsoft.AspNetCore.Authentication.Certificate contains an implementation similar to Certificate Authentication for ASP.NET Core. Certificate authentication happens at the TLS level, long before it ever gets to ASP.NET Core. More accurately, this is an authentication handler that validates the certificate and then gives you an event where you can resolve that certificate to a ClaimsPrincipal.

Implement an HttpClient using a certificate and IHttpClientFactory

In the following example, a client certificate is added to a HttpClientHandler using the ClientCertificates property from the handler. This handler can then be used in a named instance of an HttpClient using the ConfigurePrimaryHttpMessageHandler method. This is setup in Program.cs:

var clientCertificate =

    new X509Certificate2(

      Path.Combine(_environment.ContentRootPath, "mysample_cert.pfx"), "12345678");

 

builder.Services.AddHttpClient("namedClient", c =>

{

}).ConfigurePrimaryHttpMessageHandler(() =>

{

    var handler = new HttpClientHandler();

    handler.ClientCertificates.Add(clientCertificate);

    return handler;

});

 

The IHttpClientFactory can then be used to get the named instance with the handler and the certificate. The CreateClient method with the name of the client defined in Program.cs is used to get the instance. The HTTP request can be sent using the client as required:

 

public class SampleHttpService

{

    private readonly IHttpClientFactory _httpClientFactory;

 

    public SampleHttpService(IHttpClientFactory httpClientFactory)

        => _httpClientFactory = httpClientFactory;

 

    public async Task<JsonDocument> GetAsync()

    {

        var httpClient = _httpClientFactory.CreateClient("namedClient");

        var httpResponseMessage = await httpClient.GetAsync("https://sample.com");

 

        if (httpResponseMessage.IsSuccessStatusCode)

        {

            return JsonDocument.Parse(

                await httpResponseMessage.Content.ReadAsStringAsync());

        }

 

        throw new ApplicationException($"Status code: {httpResponseMessage.StatusCode}");

    }

}

 

If the correct certificate is sent to the server, the data is returned. If no certificate or the wrong certificate is sent, an HTTP 403 status code is returned.

Comments

Post a Comment

Popular posts from this blog

Belekeri, Karwar Beach Photos

Image
Belekeri Beach : Situated 8 kms away from Ankola is an old port of Belekin with the long stretches of unexplored beaches. Situated at the bay of the river Belekin. The place has two temples of Jenubeera and Ishwara and also an old inscription dating back to the 15th century. Belekeri Port was a good port during the time of British, and managenese ore was being exported from here. The beautiful beach here attracts many tourists
Read more

Publish an Angular with .NET CORE app to IIS on AWS Cloud EC2 instance

I faced a few challenges while publishing my application(Front end on Angular 13, Backend is .NET CORE 6) to IIS on AWS EC2 instance using Custom Identity. So I thought of sharing this post which will help you to fix the issue quickly. It is a straight forward process to publish an application to IIS without using custom identity and many are already aware of this process. When we create an Application Pool by default it uses Application Pool Identity. In many cases we can not use Application Pool Identity. For example if your application is accessing web share or network share then your application needs to have required permission to access these shares. In this case you will have to create a Service Account and provide necessary permission to your Service Account to access these shares. Then you need to use this Service Account as Identity instead of Application Pool Identity to set up your application. However if you want to use another identity then we have to make sure your new i
Read more