Optional client certificates sample

[Tratcher]

@blowdart @HaoK @anurse

We've had several requests around how to set up an application where client certificates were only required for some paths (#21193 @leastprivilege @brockallen @FDonald). There are lots of protocol issues with that (see the readme.md), so I came up with a proposal based on host names. This is the first sample I've put together that implements that proposal.

In this first draft I proved it can work, but rough and has exposed a few holes in our infrastructure.

• I used IPs rather than hosts here to avoid setting up custom DNS. You'll get cert trust errors for that.
• The sample should work as is with 3.1, haven't used any new APIs yet.
• This strategy should work with any of our servers, but I've only demonstrated it with Kestrel. Setting up client certificates (and alternate host names) for IIS Express or HttpSys is a pain.
• You can't do this on a single IP+Port with Kestrel until we get SNI based options: Enable SslStream server options per-hostname (in callback) runtime#31097
• This doesn't integrate well with the current CertificateAuthHandler because it doesn't provide a Challenge event. We should add that. We could also consider adding this pattern as a first class option, you'd only need to specify an alternate host.
• I could make this cleaner for 3.1 by delegating CertificateAuthHandler's Challenge action to a custom handler.
• There's no still no real way to sign-out, you have to close the browser.

Unrelated: I've cherry picked #21467 to work around a Kestrel regression.

Do we think this is worth expanding on? Should I file issues for the gaps like adding a Challenge event?

[blowdart]

Provide a certificate that allows 127.0.0.1

CAB forum won't allow IP addresses in public certificates any more, so it'd be slightly unrealistic to have the cert tool create one.

[Tratcher]

Provide a certificate that allows 127.0.0.1

CAB forum won't allow IP addresses in public certificates any more, so it'd be slightly unrealistic to have the cert tool create one.

That's just for the sample anyways. It has no bearing on the real scenario.

[FDonald]

Thanks @Tratcher. I am trying to implement your suggestion, but when create subdomain, I have a doubt:
My aplication is an IdentityServer4 implementation and the only page I wish to protect is certificate/login in order to read certificate and return an acces token.
However, I can't use only certificate/login controller in subdomain. Do we need to protect the entire site in the subdomain?

[Tratcher]

Thanks @Tratcher. I am trying to implement your suggestion, but when create subdomain, I have a doubt:
My aplication is an IdentityServer4 implementation and the only page I wish to protect is certificate/login in order to read certificate and return an acces token.
However, I can't use only certificate/login controller in subdomain. Do we need to protect the entire site in the subdomain?

This approach requires all or nothing unless you split them into two completely different apps. You can still redirect back to the root site afterwards.

[leastprivilege]

I ended up using sub-domains -

like identityserver.io and mtls.identityserver.io.

I used nginx to provide the two entry points and then route to the same application.

https://identityserver4.readthedocs.io/en/latest/topics/mtls.html#identityserver-setup

[leastprivilege]

I need to have a closer look at your approach. But a bit busy right now.

[Tratcher]

@leastprivilege thanks, that maps to what I'm proposing here. How do you handle switching between them? E.g. Challenging for cert auth? Would a Challenge event on the cert auth handler help?

[leastprivilege]

Not sure what you mean with "switch" - but we do this

https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Hosting/MutualTlsEndpointMiddleware.cs

[Tratcher]

That middleware looks designed to only attempt cert auth if the request matched a certain domain or path. What do you do if you're on the non-mtls domain and someone wants to log in with client certs? You redirect them to the mtls domain, correct? How do you manage that flow?

[leastprivilege]

Ah I see - we are only doing client authentication with certs - IOW the client knows upfront.

[ghost]

Hello @Tratcher!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

[conkman]

@Tratcher I am looking to use your sample to integrate Azure API Manager (APIM) with an on prem Service Fabric cluster at one of my clients. What would it take to use host names in your Sample instead of IP's? I am having a hard time find a solution that would leverage this technique instead. Would I need to go the route that @lukewaters went in creating some Middleware to check the pipeline?

[ghost]

Hi @conkman. It looks like you just commented on a closed PR. The team will most probably miss it. If you'd like to bring something important up to their attention, consider filing a new issue and add enough details to build context.