In a recent post from his blog, Premier Developer Consultant Razi Rais gives us a step-by-step overview of how to add client certificate Authentication for Web Api Hosted in Azure.
During recent customer engagement there was a discussion around client certificate [a.k.a tls mutual] authentication and how to use it with asp.net web api that is hosted on azure as a azure api app. Apparently there is an article that covers this topic for web apps hosted in azure but it cannot be used as-is for web api as there are some differences on how to get the certificate inside a web api versus web app. I also notice that it does not discuss how to actually make a call to web api from a client app e.g. console or web application etc. and actually demonstrate how to pass client certificate as part of the request. This post is going to cover exactly these two topics:
- Demonstrate how to capture a client certificate inside the web api hosted on azure as a azure api app.
- Demonstrate client application making a call to secure web api by passing a client certificate in the header. We will use both a browser and a sample console app but principal remains same and can be applied to other type of applications including a web application.