stackoom
  简体   繁体   中英

Calling web api with client certificate from another web api

 原文  2017-01-06 15:56:01       c#/ ssl/ asp.net-web-api

Question

Scenario: User talks with WebApi called 'Gateway' by angularjs client. 'Gateway' is like a facade or a proxy, so all requests from User to 'Gateway' will be forwarded to another WebApis.

Security details: 'Gateway' WebApi and all others WebApis are placed in IIS with HTTPS binding and SSL client certificate option is 'Accept'. So, user will provide valid client certificate to IIS and after verification, request will be handled by WebApi.

The problem: when 'Gateway' WebApi receives a request, client certificate is presented in Request object. Then I just forward this request using HttpClient to another WebApi. But when another WebApi endpoint receives a request, there is not client certificate attached any more.

Below is a code snipped of request forwarding: 

var request = Request; // income request from angularjs

var handler = new WebRequestHandler();
handler.ClientCertificates.Add(request.GetClientCertificate()); // setting up client certificate from user's request
using (var httpClient = new HttpClient(handler))
{
    request.RequestUri = *chaning request address here*;
    var response = await httpClient.SendAsync(request);
    return ResponseMessage(response);
}

Note: If I try to go directly to the another WebApi, client certificate is presented as expected. If I try to go via 'Gateway', client certificate is presented as well in 'Gateway' request, but after it's successfully attached and request is sent, another WebApi does not receive any certificate attached.

Any ideas? Thank you.

1 answers

solution1
 0  2017-01-06 17:43:22

On your gateway server, you need to import an authentication key onto the "machine" certificate store (MMC.exe, add snap-in "Certificates", Computer account", Certficates-Personal-Certificates, import).
Grant permissions (for the auth cert) to the account which your IIS pool is using. (right-click the cert, All-Tasks, Manage private keys. Add, Advanced, Locations=[machine-name], find now, (probably) Network Service, Read).

In your web.config (on your gateway server), check your system.serviceModel / behaviors / endpointBehaviors / behavior / clientCredentials / clientCertificate . Make sure the attribute: storeLoction ="LocalMachine", to use the cert from the machine key store.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Calling a Web api from another Web api Calling web api from another web api Calling Web API from Desktop Client ASP.NET Core Web API calling other Web API using Client Certificate getting 401 Fail to send/receive Client Certificate from Console App to web api .Net Console app calling a Web API, calling another Web API Calling Web Api service from a .NET 2.0 client Calling another Web API controller directly from inside another Web API controller Web api method calling a another stream content web api method? Calling a web api from another web api, after 110 seconds waiting my action fires again
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM