I have a web-service which I secured using certificates. Now, I want to identify the client by looking at the certificate thumbprint. This means that I have a list of thumbprints on my service somewhere that are linked to some user.
Actually, my first question (a little off-topic) is: is this a good approach or should I still introduce some username password construction?
Second question is: how can I get the certificate that the client used to connect to the web-service so I can read the thumbprint at the service side.
I did read a lot about it (like this post:How do I get the X509Certificate sent from the client in web service?) but could not find an answer.
I have no HTTPContext, so that is not an option. In the post mentioned above is spoken about Context.Request.ClientCertificate.Certificate
but I guess they mean the HTTPContext
there as well. Also adding <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
to the web.config is also not an option.
this is how we do this in the constructor of our webservice:
if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets == null)
throw new SecurityException ("No claimset service configured wrong");
if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets.Count <= 0)
throw new SecurityException ("No claimset service configured wrong");
var cert = ((X509CertificateClaimSet) OperationContext.Current.ServiceSecurityContext.
AuthorizationContext.ClaimSets[0]).X509Certificate;
//this contains the thumbprint
cert.Thumbprint