MTLS Update (#3962)

* a client cert auth handler

* remove workspace.xml

* exclude .idea folder when cleaning

* ignore workspace xml

* add client cert to MTLS sample

* add config for client cert authn

* add test cert

* update client config for new cert

* Move cnf generation to extension method

* add mtls domain support to discovery

* update client to use SocketHandler

* rename MTLS middleware

* bug in disco

* add comments

* cleanup mtls middleware

* cleanup

* cleanup client

* add feature to set client cert cnf claim regardless of authentication method

* update ignore file

* remove rider files

* more rider files

* use constants for path manipulation

* set https fixed

Author: leastprivilege

.gitignore

@@ -1,20 +1,5 @@
-## Ignore Visual Studio temporary files, build results, and
-## files generated by popular Visual Studio add-ons.
-
 # Rider
-.idea/**/workspace.xml
-.idea/**/tasks.xml
-.idea/**/usage.statistics.xml
-.idea/**/dictionaries
-.idea/**/shelf
-.idea/**/dataSources/
-.idea/**/dataSources.ids
-.idea/**/dataSources.local.xml
-.idea/**/sqlDataSources.xml
-.idea/**/dynamic.xml
-.idea/**/uiDesigner.xml
-.idea/**/dbnavigator.xml
-.idea/**/contentModel.xml
+.idea
 
 # User-specific files
 *.suo
@@ -223,3 +208,4 @@ identityserver4_log.txt
 tempkey.rsa
 samples/KeyManagement/FileSystem/dataprotectionkeys/
 samples/KeyManagement/FileSystem/signingkeys/
+workspace.xml

clean.sh

@@ -1,3 +1,3 @@
-git clean -xdf -e samples -e src/IdentityServer4/.vs
+git clean -xdf -e samples -e src/IdentityServer4/.vs -e .idea
 
 ./clean_cache.sh

samples/Clients/.idea/.idea.Clients/.idea/workspace.xml

@@ -9,4 +9,10 @@
     <ProjectReference Include="..\Constants\Constants.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <None Update="client.p12">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
 </Project>

samples/Clients/src/ConsoleMTLSClient/ConsoleMTLSClient.csproj

@@ -5,6 +5,7 @@
 using System;
 using System.Linq;
 using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 
 namespace ConsoleMTLSClient
@@ -24,21 +25,19 @@ public static async Task Main()
 
         static async Task<TokenResponse> RequestTokenAsync()
         {
-            var handler = new HttpClientHandler();
-            var cert = X509.CurrentUser.My.Thumbprint.Find("bf6e2ca4f07994430b86bf9d48833a33f27a5c24").Single();
-            handler.ClientCertificates.Add(cert);
+            var client = new HttpClient(GetHandler());
 
-            var client = new HttpClient(handler);
-
-            var disco = await client.GetDiscoveryDocumentAsync(Constants.Authority);
+            var disco = await client.GetDiscoveryDocumentAsync("https://identityserver.local");
             if (disco.IsError) throw new Exception(disco.Error);
 
+            var endpoint = disco
+                    .TryGetValue(OidcConstants.Discovery.MtlsEndpointAliases)
+                    .Value<string>(OidcConstants.Discovery.TokenEndpoint)
+                    .ToString();
+            
             var response = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
             {
-                Address = disco
-                            .TryGetValue(OidcConstants.Discovery.MtlsEndpointAliases)
-                            .Value<string>(OidcConstants.Discovery.TokenEndpoint)
-                            .ToString(),
+                Address = endpoint,
 
                 ClientId = "mtls",
                 Scope = "api1"
@@ -50,15 +49,9 @@ static async Task<TokenResponse> RequestTokenAsync()
 
         static async Task CallServiceAsync(string token)
         {
-            var baseAddress = Constants.SampleApi;
-
-            var handler = new HttpClientHandler();
-            var cert = X509.CurrentUser.My.Thumbprint.Find("bf6e2ca4f07994430b86bf9d48833a33f27a5c24").Single();
-            handler.ClientCertificates.Add(cert);
-
-            var client = new HttpClient(handler)
+            var client = new HttpClient(GetHandler())
             {
-                BaseAddress = new Uri(baseAddress)
+                BaseAddress = new Uri(Constants.SampleApi)
             };
 
             client.SetBearerToken(token);
@@ -67,5 +60,15 @@ static async Task CallServiceAsync(string token)
             "\n\nService claims:".ConsoleGreen();
             Console.WriteLine(JArray.Parse(response));
         }
+
+        static SocketsHttpHandler GetHandler()
+        {
+            var handler = new SocketsHttpHandler();
+            
+            var cert = new X509Certificate2("client.p12", "changeit");
+            handler.SslOptions.ClientCertificates = new X509CertificateCollection { cert };
+
+            return handler;
+        }
     }
-}
+}

samples/Clients/src/ConsoleMTLSClient/Program.cs

@@ -52,6 +52,7 @@
     <PackageReference Update="Microsoft.AspNetCore.Identity" Version="$(FrameworkVersion)" />
     <PackageReference Update="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="$(FrameworkVersion)" />
     <PackageReference Update="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="$(FrameworkVersion)" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Certificate" Version="$(FrameworkVersion)"/>
 
     <!--microsoft entity framework -->
     <PackageReference Update="Microsoft.EntityFrameworkCore.Relational" Version="$(EntityFrameworkVersion)" />