MTLS Update (#3962)

* a client cert auth handler * remove workspace.xml * exclude .idea folder when cleaning * ignore workspace xml * add client cert to MTLS sample * add config for client cert authn * add test cert * update client config for new cert * Move cnf generation to extension method * add mtls domain support to discovery * update client to use SocketHandler * rename MTLS middleware * bug in disco * add comments * cleanup mtls middleware * cleanup * cleanup client * add feature to set client cert cnf claim regardless of authentication method * update ignore file * remove rider files * more rider files * use constants for path manipulation * set https fixed
ejsa13 · Jan 5, 2020 · 91b855f · 91b855f
1 parent 939a0ca
commit 91b855f
Show file tree

Hide file tree

Showing 26 changed files with 308 additions and 1,512 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,20 +1,5 @@
-## Ignore Visual Studio temporary files, build results, and
-## files generated by popular Visual Studio add-ons.
-
 # Rider
-.idea/**/workspace.xml
-.idea/**/tasks.xml
-.idea/**/usage.statistics.xml
-.idea/**/dictionaries
-.idea/**/shelf
-.idea/**/dataSources/
-.idea/**/dataSources.ids
-.idea/**/dataSources.local.xml
-.idea/**/sqlDataSources.xml
-.idea/**/dynamic.xml
-.idea/**/uiDesigner.xml
-.idea/**/dbnavigator.xml
-.idea/**/contentModel.xml
+.idea
 
 # User-specific files
 *.suo
@@ -223,3 +208,4 @@ identityserver4_log.txt
 tempkey.rsa
 samples/KeyManagement/FileSystem/dataprotectionkeys/
 samples/KeyManagement/FileSystem/signingkeys/
+workspace.xml
diff --git a/clean.sh b/clean.sh
@@ -1,3 +1,3 @@
-git clean -xdf -e samples -e src/IdentityServer4/.vs
+git clean -xdf -e samples -e src/IdentityServer4/.vs -e .idea
 
 ./clean_cache.sh
diff --git a/samples/Clients/.idea/.idea.Clients/.idea/workspace.xml b/samples/Clients/.idea/.idea.Clients/.idea/workspace.xml
diff --git a/samples/Clients/src/ConsoleMTLSClient/ConsoleMTLSClient.csproj b/samples/Clients/src/ConsoleMTLSClient/ConsoleMTLSClient.csproj
@@ -9,4 +9,10 @@
     <ProjectReference Include="..\Constants\Constants.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <None Update="client.p12">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
 </Project>
diff --git a/samples/Clients/src/ConsoleMTLSClient/Program.cs b/samples/Clients/src/ConsoleMTLSClient/Program.cs
@@ -5,6 +5,7 @@
 using System;
 using System.Linq;
 using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 
 namespace ConsoleMTLSClient
@@ -24,21 +25,19 @@ public static async Task Main()
 
         static async Task<TokenResponse> RequestTokenAsync()
         {
-            var handler = new HttpClientHandler();
-            var cert = X509.CurrentUser.My.Thumbprint.Find("bf6e2ca4f07994430b86bf9d48833a33f27a5c24").Single();
-            handler.ClientCertificates.Add(cert);
+            var client = new HttpClient(GetHandler());
 
-            var client = new HttpClient(handler);
-
-            var disco = await client.GetDiscoveryDocumentAsync(Constants.Authority);
+            var disco = await client.GetDiscoveryDocumentAsync("https://identityserver.local");
             if (disco.IsError) throw new Exception(disco.Error);
 
+            var endpoint = disco
+                    .TryGetValue(OidcConstants.Discovery.MtlsEndpointAliases)
+                    .Value<string>(OidcConstants.Discovery.TokenEndpoint)
+                    .ToString();
+
             var response = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
             {
-                Address = disco
-                            .TryGetValue(OidcConstants.Discovery.MtlsEndpointAliases)
-                            .Value<string>(OidcConstants.Discovery.TokenEndpoint)
-                            .ToString(),
+                Address = endpoint,
 
                 ClientId = "mtls",
                 Scope = "api1"
@@ -50,15 +49,9 @@ static async Task<TokenResponse> RequestTokenAsync()
 
         static async Task CallServiceAsync(string token)
         {
-            var baseAddress = Constants.SampleApi;
-
-            var handler = new HttpClientHandler();
-            var cert = X509.CurrentUser.My.Thumbprint.Find("bf6e2ca4f07994430b86bf9d48833a33f27a5c24").Single();
-            handler.ClientCertificates.Add(cert);
-
-            var client = new HttpClient(handler)
+            var client = new HttpClient(GetHandler())
             {
-                BaseAddress = new Uri(baseAddress)
+                BaseAddress = new Uri(Constants.SampleApi)
             };
 
             client.SetBearerToken(token);
@@ -67,5 +60,15 @@ static async Task CallServiceAsync(string token)
             "\n\nService claims:".ConsoleGreen();
             Console.WriteLine(JArray.Parse(response));
         }
+
+        static SocketsHttpHandler GetHandler()
+        {
+            var handler = new SocketsHttpHandler();
+
+            var cert = new X509Certificate2("client.p12", "changeit");
+            handler.SslOptions.ClientCertificates = new X509CertificateCollection { cert };
+
+            return handler;
+        }
     }
-}
+}
diff --git a/samples/Clients/src/ConsoleMTLSClient/client.p12 b/samples/Clients/src/ConsoleMTLSClient/client.p12
diff --git a/src/Directory.Build.targets b/src/Directory.Build.targets
@@ -52,6 +52,7 @@
     <PackageReference Update="Microsoft.AspNetCore.Identity" Version="$(FrameworkVersion)" />
     <PackageReference Update="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="$(FrameworkVersion)" />
     <PackageReference Update="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="$(FrameworkVersion)" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Certificate" Version="$(FrameworkVersion)"/>
 
     <!--microsoft entity framework -->
     <PackageReference Update="Microsoft.EntityFrameworkCore.Relational" Version="$(EntityFrameworkVersion)" />