问题
My company has written an API to expose our application data to our clients. We've completed the endpoints and now want to secure the API. The API will only be used by pre-approved clients so no anonymous access is needed. I've been told that we can use an x.509 certificate that we generate to identify and authenticate each client. By identifying, I mean embedding a client code in the certificate that we issue to each client (is this even possible?). As you can probably tell I have little experience in authenticating clients with certs, is this a solid approach?
回答1:
This is a very "tricky" options for authenticating and authorizing clients. It's very powerful, but could be very expensive to implement because you have to manage a full PKI (public key infrastructure) and you have to distribute securely the certificats to your clients.
1) You need SSL in place and you need to enforce it (even globally if you want):
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
}
else
{
base.OnAuthorization(actionContext);
}
}
}
public class ValuesController : ApiController
{
[RequireHttps]
public HttpResponseMessage Get() { ... }
}
2) You need to configure IIS to accept client certificates througt the application.host config or using the IIS manager console:
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<!-- To require a client cert: -->
<!-- <access sslFlags="Ssl, SslRequireCert" /> -->
</security>
</system.webServer>
3) On the server side, you can get the client certificate by calling GetClientCertificate on the request message. The method returns null if there is no client certificate. Otherwise, it returns an X509Certificate2 instance. Use this object to get information from the certificate, such as the issuer and subject. Then you can use this information for authentication and/or authorization.
X509Certificate2 cert = Request.GetClientCertificate();
string issuer = cert.Issuer;
string subject = cert.Subject;
Check this article of Mike Watson for full reference (I gave you an extract here).
is this a solid approach?
Yes it is, but as you saw as the PKI drawback to keep in mind. Eventually you can implement OAuth2 auth which is also extremely powerful and you can easely base it on an external provider, for exaple Azure AD. Check this article for more details. BTW, you can also start from the basic MVC/API template.
来源:https://stackoverflow.com/questions/36131108/client-authentication-for-webapi-2