New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom validation inside OnCertificateValidated getting ignored by Kestrel (3.0Preview9) #14033
Comments
@Tratcher this looks to be an issue with the cert auth handler interacting with kestrel, there are tests that verify context.fail without kestrel in the picture result in proper failures: i.e https://github.com/aspnet/AspNetCore/blob/b75b892eac51be8b2f0eb9dc9b47537fc02001c9/src/Security/Authentication/test/CertificateTests.cs#L226 Is returning true the proper way to disable kestrel's client cert validation for this to work? Or do we need additional tweaking for this scenario to work? |
Kestrel doesn't participate in authentication/authorization beyond the ClientCertificateValidation check you disabled.
This sounds more like an authorization problem. What authorization policies have you set up for the endpoint? |
context.Fail("invalid cert") should have it end up with no user so authorize should be barfing? Unless it's falling through to the default constructed user dominick wanted? |
Only if you require authenticated user |
I haven't implemented the authorization middleware yet - my understanding was that if OnCertificateValidated() fails, any API access would be rejected (which is the intended/expected behavior). |
If you don't do anything and are just using |
@brrusino it'll only fail if you have an authorize attribute on them, or if you've made authorization mandatory on every route via configuration. |
We're trying to only allow certificates associated with a specific root cert to access our API. When debugging with a cert from another CA that is valid, I can confirm that the validation check (VerifyChainAndRequiredRoot) is behaving as expected and failing (context.Fail is being set) but authentication is still passing.
Inside the configuration for Kestrel, my understanding is that CertificateValidation would need to be disabled here in order to not use the default configuration:
Any insight would be much appreciated.
The text was updated successfully, but these errors were encountered: