How to authenticate from a javascript client agains a client certificate protected web api

[florianwachs]

Hi there,
i get the feeling that what I want is not possible, but I find no ressources on why it is not possible. I want an aspnetcore web api, protected by client certificates. Thanks to this documentation https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-3.1 i got it running very easily. If I call the webapi directly, the browser prompts me for an client credential. I can also connect via a console application. But I can´t find a way to have a SPA authenticate agains my api via a client certificate. Can you help me with any advice ? Thanks a lot!

[Tratcher]

Is there server configured to require a certificate for all requests? Spa apps shouldn't need to do anything special.

[florianwachs]

Thanks for the answer, I have a Blazor Server-side application and a separate aspnet core webapi project that has certificate auth configured. Now I have the problem to be able to call the API from my Blazor-serverside application. I tried accessing the WebApi from an React SPA too, but im unable to trigger the Certificate Selection Dialog of the browser for the fetch api. I just get a 403 but no popup. Sources claim that I cant trigger that from javascript. Basically I want to be able to authenticate the user via a client certificate when using my blazor app and calling the webapi. Sorry if my description is confusing you.

[florianwachs]

oh and sorry, yes, I tried the webapi configured with required and optional client certificates.
I can enable client certs in my spa app too, though I than have the problem of how i can delegate this to the web api. Sorry if I´m wasting your time.

[florianwachs]

@Tratcher I think I get your initial question now and why I confused you. When I create a brand new react spa project and enable clientauth in the same project, I can authorize the WeatherForecast endpoint. But I´m unable to call a webapi with client auth that resides in it´s own webapi project. Does that make more sense to you? Thanks again.

[Tratcher]

That other webapi is a separate site? I wonder if the browser has restrictions about doing client auth to other sites?

[florianwachs]

@Tratcher thanks a lot for reaching out again. I now understand that my initial question is not possible to solve with a server side blazor app. I now understand that clientcertificate auth is a TLS feature and that it’s not possible to use those client credentials within an server blazor app to call a different rest api onbehalf of the user, because there is no way from the server side to access and reuse the clients private certificate. I now use a react spa with my client certificate protected aspnetcore api and it works like a charm. I would prefer blazor WASM but it’s not possible due to customers still forcing IE 11 (I know...). @SteveSandersonMS gave me an nice hint that I could „marshal“ all api requests that need cert auth. from blazor server to the browser and let the Browser do the calls. But this was a bit too hacky for me. I hope to see the time where Corps finally switch to edge... thanks a lot and have a Great day. And a big thank you to the whole team, I live .net and aspnet.