I am working with a REST service provider and they want me to use a client certificate provided by them when making HTTP call.
How does a client cert achieve authentication?
If someone has a copy of the client cert, they too can be authenticated right?
Does a client cert offer anything else beside authentication?
How are they different from a username/password authentication?
How does a client cert achieve authentication?
By being either signed by someone the peer trusts (including self-signing), or signed by someone that is trusted by someone the peer trusts, etc.
If someone has a copy of the client cert, they too can be authenticated right?
Wrong. They would also need the private key.
Does a client cert offer anything else beside authentication?
No.
How are they different from a username/password authentication?
Much more secure. No password-guessing is possible.
However There is no such thing as a 'client certificate provided by them'. The process of generating a client certificate starts with you. You generate a key pair and a Certificate Signing Request (CSR) and you have it signed by a CA. Or you generate a self-signed certificate. You then provide your certificate to them. If they are proposing to carry out all these steps and provide the resulting key pair and certificate to you, they do not know what they are talking about and should be severely chastised for security breaches. A private key is only private if no-one else has a copy.