From 1c9b616671848176bb46587fa09a7057eefd8af3 Mon Sep 17 00:00:00 2001 From: Chris R Date: Fri, 29 Oct 2021 11:49:44 -0700 Subject: [PATCH] More client cert docs --- docs/docfx/articles/transforms.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/docfx/articles/transforms.md b/docs/docfx/articles/transforms.md index 73994c083..d60a2f7f3 100644 --- a/docs/docfx/articles/transforms.md +++ b/docs/docfx/articles/transforms.md @@ -688,6 +688,10 @@ X-Client-Cert: SSdtIGEgY2VydGlmaWNhdGU... ``` As the inbound and outbound connections are independent, there needs to be a way to pass any inbound client certificate to the destination server. This transform causes the client certificate taken from `HttpContext.Connection.ClientCertificate` to be Base64 encoded and set as the value for the given header name. The destination server may need that certificate to authenticate the client. There is no standard that defines this header and implementations vary, check your destination server for support. +Servers do minimal validation on the incoming client certificate by default. The certificate should be validated either in the proxy or the destination, see the [client certificate auth](https://docs.microsoft.com/aspnet/core/security/authentication/certauth) docs for details. + +This transform will only apply if the client certificate is already present on the connection. See the [optional certs doc](https://docs.microsoft.com/aspnet/core/security/authentication/certauth#optional-client-certificates) if it needs to be requested from the client on a per-route basis. + ## Response and Response Trailers All response headers and trailers are copied from the proxied response to the outgoing client response by default. Response and response trailer transforms may specify if they should be applied only for successful responses or for all responses.