Steeltoe
Steeltoe copied to clipboard
SteeltoeOSS
Certificate auth validation issue
While working on #1525, I discovered that due to one or more certificate validation issues, certificate authorization is not working when the client and server apps are not on the same operating systems.
Linux client, Windows server:
2025-06-13T13:37:50.83-0500 [APP/REV/25/PROC/WEB/0] OUT warn: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[2]
2025-06-13T13:37:50.83-0500 [APP/REV/25/PROC/WEB/0] OUT Certificate validation failed, subject was CN=f9e63bc0-b0e8-43af-47b1-098a, OU=app:049d744b-eae8-4b69-bad3-a71c4e4d537d + OU=space:ab60aac2-fb64-43ab-ba24-c57a15a7e114 + OU=organization:7fe4d027-2058-4539-a40c-702ac1373905. NotSignatureValid The signature of the certificate cannot be verified.
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT info: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[7]
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT Certificate was not authenticated. Failure message: Client certificate failed validation.
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT dbug: Microsoft.AspNetCore.Authorization.AuthorizationMiddleware[0]
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT Policy authentication schemes Certificate did not succeed
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT dbug: Steeltoe.Security.Authorization.Certificate.CertificateAuthorizationHandler[0]
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT User has the required claim, but the value doesn't match. Expected 7fe4d027-2058-4539-a40c-702ac1373905 but got (null)
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT Authorization failed. These requirements were not met:
2025-06-13T13:37:50.84-0500 [APP/REV/25/PROC/WEB/0] OUT Steeltoe.Security.Authorization.Certificate.SameOrgRequirement
Windows client, Linux server:
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT warn: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[2]
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT Certificate validation failed, subject was CN=bad07b69-13a1-4ef5-7cbb-c755, OU=app:2fa64377-f11b-42f4-b39c-c81e90d9c3ec + OU=space:ab60aac2-fb64-43ab-ba24-c57a15a7e114 + OU=organization:7fe4d027-2058-4539-a40c-702ac1373905. PartialChain unable to get local issuer certificate
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT info: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[7]
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT Certificate was not authenticated. Failure message: Client certificate failed validation.
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT dbug: Microsoft.AspNetCore.Authorization.AuthorizationMiddleware[0]
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT Policy authentication schemes Certificate did not succeed
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT dbug: Steeltoe.Security.Authorization.Certificate.CertificateAuthorizationHandler[0]
2025-06-13T13:58:44.48-0500 [APP/REV/1/PROC/WEB/0] OUT User has the required claim, but the value doesn't match. Expected ab60aac2-fb64-43ab-ba24-c57a15a7e114 but got (null)
2025-06-13T13:58:44.49-0500 [APP/REV/1/PROC/WEB/0] OUT info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2025-06-13T13:58:44.49-0500 [APP/REV/1/PROC/WEB/0] OUT Authorization failed. These requirements were not met:
2025-06-13T13:58:44.49-0500 [APP/REV/1/PROC/WEB/0] OUT Steeltoe.Security.Authorization.Certificate.SameSpaceRequirement
2025-06-13T13:58:44.49-0500 [APP/REV/1/PROC/WEB/0] OUT info: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[12]
2025-06-13T13:58:44.49-0500 [APP/REV/1/PROC/WEB/0] OUT AuthenticationScheme: Certificate was challenged.
