Client certificates and claims-based identity based on web API

If a client accessing an endpoint implemented as an ASP.NET Web API controller over HTTPS provides a client certificate, that certificate is available through the Request.GetClientCertificate

. That said, I'm wondering: is it possible to get information represented as a claims-based model that has been integrated with the security model in .NET 4.5?

The main reason I would like to do this is because I need different clients to be able to authenticate differently in order to access the same services, so I would rather abstract away from specific specifications such as certificates. I want my controller to be able to base its decisions on the requirements for the current user without touching the very origin of those requirements.

I know there is a type X509CertificateClaimSet

that makes it look like a natural flow:

• The client certificate passed over TLS / SSL is exposed as X509CertificateClaimSet
  
  through some sort of token mapping process (similar to how an incoming federated provider generated cookie that you can use for ACS is processedSessionSecurityTokenHandler
  
  
• Claims Conversion Module (something derived from ClaimsAuthenticationManager
  
  and configured with an item <claimsAuthenticationManager>
  
  ) validates a set of claims that comes from a certificate and converts it to non-token claims for applications
• The processor looks for applications related to specific applications.

There even X509SecurityTokenHandler

, which sounds like this, he has to do it. However, as far as I can tell, this is intended for scenarios where certificate-based authentication is handled in messages being sent - it doesn't seem to have support for a scenario where proof of certificate ownership happened to the transport layer, i.e. as part of a TLS handshake / SSL.

I am wondering if I need to write my own module for this. In theory, it looks like it might be a case of just handling the event AuthenticateRequest

looking at the certificate request, generating X509CertificateClaimSet

from the certificate if present. But ... then what? I just create my own ClaimsPrincipal

and replace the existing user? Or is there some "correct" way to add the claims that I found in the set? (The client certificate is not necessarily the only source of claims - my application already uses the claims that come from the ACS integration. Is there a standard mechanism to ensure that all possible claim sources are combined correctly?)

It looks like SessionAuthenticationModule

(SAM) is the identity model component that the claims principal currently provides and it just replaces the one that was previously in the context as well as the current user of the thread. But it appears to provide extensibility - if you override it ValidateSessionToken

, that returns the set of objects ClaimsIdentity

that make up the principal. So in theory I could override that and add additional claims at this point.

But I'm not sure which way. As far as I can tell, SAM does this after it has ClaimsAuthenticationManager

done the conversion of its claims. Or is the claim turning into the wrong model to go here?