New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support to HttpClient for mutual authentication #15708
Comments
The Windows version of HttpClient relies on native WinHTTP. So, we would need that native component enhanced as well. For WinHTTP: We can get the SPN used. But there doesn't seem to be a way to set it to a custom value before the request is processed: WINHTTP_OPTION_SERVER_SPN_USED |
What about for other platforms? E.g. Unix, UWP? |
This is blocking WCF Windows authentication SPN scenario (dotnet/wcf#1252) and UPN scenario (dotnet/wcf#10). |
The functionality is not supported by the underlying WinHttp stack in Winwdows. Probably not even in Curl. Unless we have full managed networking stack, we won't be able to reasonably implement it across the board. @zhenlan @mconnew you marked this as blocking, can you please check if it is still blocking and if there are any workarounds for you. |
The short answer is this is blocking, there aren't workarounds, and this is doable on all platforms except perhaps UWP. We are consuming HttpClient and not WinHTTP or libCurl. These are implementation details of HttpClient and are an abstraction for a very good reason. I shouldn't need to worry about how it's implemented. If the choice of implementation isn't able to achieve functional parity with the full framework, then maybe the implementation needs to be modified/replaced. I also spent about 30 seconds with Bing and found the documentation on how to do this with libCurl. You set the CURLOPT_SERVICE_NAME option to use a non default SPN. So it should be relatively simple to implement this on non-windows platforms. I know it can work on Windows as the full framework can do it. As it's possible to do on Windows and Unix, I see no reason that this should be closed. This is still blocking. Here are two important scenarios that are blocked by this. This all presumes using Kerberos authentication. Communicating with a self hosted WCF service Multiple hosts serving the same service |
Understood. Sadly, we are limited by current implementation(s). If we can fix it on Linux/Mac with libcurl, we can do that (thanks for pointer) - @Priya91 can you please check it out? Long-term we should definitely review our strategy which networking stack to use - OS dependent (today), uniform (e.g. libcurl on all OSs), or our own (managed)? It is something we are actively discussing - incl. what is the mid-term vs. long-term solution. Performance plays a key role here as well. Scoping the bug as Linux-only to track the libcurl tactical fix. |
I made a suggestion here about adding the ability to specify libcurl options via HttpClientHandler.Properties which are transparently applied to libcurl. While it might not be the right solution there, the concept might be worth considering for this issue. It wouldn't be locking in a new API to solve this issue on Linux which means more time can be put into how a more general solution could be made and I believe would be generally helpful to solve other problems which might come up. |
We don't have a way to specify libcurl options currently, and this would require a larger discussion on how we expose the libcurl options. Since this facility is not available on windows, exposing a new API will be specific to Unix platforms. We are not adding new APIs that are very specific to Unix for 2.0, hence pushing it out to Future. cc @karelz |
As there isn't a plan to implement this on Linux, I'm changing this bug back to all platforms as this is still an issue on all platforms. |
@davidsh, why do you consider this no longer blocking WCF? Do you have a solution that we can use now? |
I think we should close this issue as Won't Fix. Adding 'blocking-partner' label is not going to help prioritize this issue in any way on our backlog. Filing (a new) feature request on |
Closing as this is tracked by dotnet/corefx#27745. |
On the desktop, WCF uses mutual authentication when using Kerberos authentication. We specify the servers SPN by adding the relevant SPN to
AuthenticationManager.CustomTargetNameDictionary
. We need a way to:The second item is needed if mutual auth is enabled as on the service side only a system process is able to use the host/hostname SPN. When the remote service is using HTTP.SYS in a non-system process and not using Kernal mode authentication, a unique SPN must be created and used. If mutual auth is enabled, this would break without being able to specify the SPN for the server on the client side.
The text was updated successfully, but these errors were encountered: