Access Client certificate in ApiController hosted in Azure Worker Role

Question

This could be a repeat question but I still could not find any answer that could resolve my issue so posting it again.

I have an azure worker role and I have added an ApiController to it using Owin selfhost(see this for reference).

In my custom controller I have a POST api which tries to do client cert authentication by extracting the cert from Request object but when deploying to azure cemulator, the cert always comes as null.

Here is my sample client code:

enter code here

public static async Task GetResponseAsync(WebApiRequestInfo webApiRequestInfo)

{
    if (webApiRequestInfo == null)
    {
        throw new ArgumentNullException("webApiRequestInfo");
    }

    WebRequestHandler requestHandler = null;

    if (webApiRequestInfo.Certificate != null)
    {
        requestHandler = new WebRequestHandler { ClientCertificateOptions = ClientCertificateOption.Manual };
        requestHandler.ClientCertificates.Add(webApiRequestInfo.Certificate);
    }

    using (var client = requestHandler != null
        ? new HttpClient(requestHandler) {BaseAddress = webApiRequestInfo.BaseUrl}
        : new HttpClient {BaseAddress = webApiRequestInfo.BaseUrl})
    {

        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(
            new MediaTypeWithQualityHeaderValue(webApiRequestInfo.MediaType));

        var method = new HttpMethod(webApiRequestInfo.HttpMethod);

        var request = new HttpRequestMessage(method, webApiRequestInfo.RelativeUrl)
        {
            Content =
                webApiRequestInfo.Content != null
                    ? new StringContent(JsonConvert.SerializeObject(webApiRequestInfo.Content), Encoding.UTF8,
                        "application/json")
                    : null
        };

        var response = await client.SendAsync(request);

        return response;

The controller code looks like this:

[HttpPost]
        public async Task<HttpResponseMessage> GetPackage([FromBody]PackageInfo packageInfo)
        {
            string correlationId = null;
            var logger = TraceLogger<LogData>.Logger;

            try
            {
                if (string.IsNullOrEmpty(packageInfo.Partner))
                {
                    throw new ArgumentException("Partner undefined");
                }

                if (string.IsNullOrEmpty(packageInfo.ServiceEnvironment))
                {
                    throw new ArgumentException("ServiceEnvironment undefined");
                }

                if (string.IsNullOrEmpty(packageInfo.StorageEnvironment))
                {
                    throw new ArgumentException("StorageEnvironment undefined");
                }

                var cert1 = Request.GetClientCertificate();// this is always null
}

Is there something I am missing or if this is something by design for azure emulator. I wanted to clarify this before I deploy to a cloud service to make sure there is nothing missing here. Any suggestions to solve this would be greatly helpful.

Answer 1

Based on my test, I can access client certificate in ASP.NET Web API (that is hosted in an Azure Worker Role) controller action. The following sample code is for your reference.

TestController.cs

public class TestController : ApiController
{
    public HttpResponseMessage Get()
    {
        return new HttpResponseMessage()
        {
            Content = new StringContent("Hello from OWIN!")
        };
    }
    public HttpResponseMessage Get(int id)
    {
        var Thumbprint = Request.GetClientCertificate().Thumbprint.ToString();
        string msg = String.Format("Hello from OWIN (id = {0})", id);
        return new HttpResponseMessage()
        {
            Content = new StringContent(msg)
        };
    }
}

Send request in a console app

X509Certificate2 certificate = new X509Certificate2(certName, password);

var Thumbprint = certificate.Thumbprint.ToString();

Console.WriteLine($"client certificate Thumbprint: {Thumbprint}");

WebRequestHandler requestHandler = new WebRequestHandler();

requestHandler = new WebRequestHandler { ClientCertificateOptions = ClientCertificateOption.Manual };
requestHandler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);

requestHandler.ClientCertificates.Add(certificate);


using (var client = new HttpClient(requestHandler))
{   
    HttpResponseMessage response = await client.GetAsync("https://127.0.0.1:9527/test/5");

    if (response.IsSuccessStatusCode)
    {
        string content = await response.Content.ReadAsStringAsync();
        Console.WriteLine($"Received response: {content}");
    }
    else
    {
        Console.WriteLine($"Error, received status code {response.StatusCode}: {response.ReasonPhrase}");
    }
}

Can access client certificate in Web API controller action

Console app output

Answer 2

The issue was with the cert issuing authority due to which IIS filtered out the cert from request. Using the right cert with CA whitelisted all started working fine.