This is the last part of my PoP and Mutual TLS post series.
Part 1 covered some history and motivation, and part 2 looked at various server setups.
Part 3 was supposed to be a walk-through guide on how to set-up ASP.NET Core and IdentityServer, as well as a client and an API.
While writing this up, I realized that this should be really in our documentation rather than on my private blog.
But to summarize those steps, you need to:
- set-up MTLS at the hosting layer (e.g. IIS, Nginx, Apache etc..)
- set-up ASP.NET Core to receive the client certificate from the hosting layer if present
- enable MTLS in IdentityServer
- associate IdentityServer clients with client certificates
Now the client can start sending the client certificate while requesting tokens and calling APIs. IdentityServer will embed the thumbprint of the client certificate in the access token, and the API will compare that value with the actual client certificate of the TLS layer.
If they match, voila! The client has successfully proven that it is really the owner of the access token – aka Proof-of-Possession.
The full walkthrough including samples etc. can be found here.
