Question regarding certificate revocation status

[Toastedcranium]

Which version of Duende IdentityServer are you using?
7

Which version of .NET are you using?
8

Describe the bug

N/A

To Reproduce

N/A

Expected behavior

N/A

Log output/exception with stacktrace

N/A

Additional context

I am trying to figure out how to properly configure duende to utilize an X509 certificate. I have it set up where you can put through a certificate and it recognizes it in the browser and we get access to the duende template site. When we click any of the links, we get an unauthorized error and in the duende console it says:

["RevocationStatusUnknown The revocation function was unable to check revocation for the certificate.", "OfflineRevocation The revocation function was unable to check revocation because the revocation server was offline."]

We are working on an intranet without access to the outside internet, so not sure if that is a factor. Have been trying to disable recovation/turn revocation offline with no success. I tried setting it up in kestralserveroptions:

builder.Services.Configure<KestrelServerOptions>(options =>
{
    options.ConfigureHttpsDefaults(httpsOptions =>
    {
        httpsOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
        httpsOptions.CheckCertificateRevocation = false;
    });
});

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CertificateAuthenticationDefaults.AuthenticationScheme;
}).AddCertificate(options =>
{
    // If needed, you can add certificate validation options here.
    options.Events = new CertificateAuthenticationEvents
    {
        OnCertificateValidated = context =>
        {
          // extra validation logic here
        }

I have been messing around with trying to change the builder to:

builder.Services.AddAuthentication("Bearer")
    .AddJwtBearer("Bearer", options =>

but there is no tokenvalidationparameters that can change validation mode or revocation mode.

Any help?

---

EDIT1:

I messed around a bit and got past the revocation this way:

var httpClientHandler = new HttpClientHandler();
httpClientHandler.CheckCertificateRevocationList = false;
var httpClient = new HttpClient(httpClientHandler);

but now I am still getting this:

[22:18:35 Information] Microsoft.AspNetCore.Authorization.DefaultAuthorizationService
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

[22:18:35 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
AuthenticationScheme: Bearer was challenged.

[maartenba]

(note: we're moving this issue to our new community discussions)

[RolandGuijt]

Can you please tell us more about what you're trying to do? Are you trying to use some form of mTLS here?