Client certificate authentication on certain requests
Question
Following this question and the answers I got, I've decided to follow the route of client certificates. However, I actually need to enforce security only on certain requests, and Microsoft's documentation confirms that this can't be expected of plain SSL authentication.
Here's what I need:
- my server (ASP.NET Core) exposes HTTP endpoints;
- some of those are public and can be used by anyone, some are private;
- only a closed list of known clients is allowed to use the private endpoints.
Is there a way to request client certificates from clients, but to also
- ignore them if the request is for a public endpoint
- check that the certificate is in a list if the request is for a private endpoint?
1 answers
solution1
0 2020-07-17 08:47:46
You may set the client certificate to accept in SSL Settings of IIS
Accept will take a certificate if it's presented, but will also continue with connections where the client doesn't present one.
You may use the current authentication and authorization to check if the user is mapped to the current request to proceed with private API
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.