Setting the ClientCertificateMode Kestrel server option from an appsettings.json file.

[javs-ctr]

Creating this issue was recommended to me from a response to the AspNetCore.Docs issue #16759 I created previously.

Context: From the Microsoft Docs entry for the Kestrel web server implementation in ASP.NET Core, under the Kestrel options section, the following is a description about configuring Kestrel options:

Kestrel options, which are configured in C# code in the following examples, can also be set using a configuration provider. For example, the File Configuration Provider can load Kestrel configuration from an appsettings.json or appsettings.{Environment}.json file:

I would like to use the Kestrel web server for local development and IIS for the remote web hosting of an ASP.NET Core web application.

I have successfully followed the Configure your host to require certificates in Program.cs for the Kestrel web server.

Issue: It would be nice to be able to configure the ClientCertificateMode property of the HttpsConnectionAdapterOptions class from an appsettings.json file, somewhat similar to how the EndpointsDefault property is configured in the appsettings.json file, documented in the Endpoint configuration section of the Kestrel Microsoft Docs entry. The EndpointsDefault property is a sibling property of the HttpsDefaults property in the KestrelServerOptions class, and I made an (incorrect) assumption that it would be configurable from an appsettings.json file.

In the response to the previous Microsoft Docs issue I created, the ConfigurationReader.cs class was linked, providing a Rosetta Stone like tool for comprehending the mapping between the KestrelServerOptions class members and the corresponding appsettings.json configuration file keys and values. While the HttpsDefaults key is not found in the ConfigurationReader class like the EndpointDefaults key, might there be in a future update the addition of the HttpsDefaults key with the option to set the ClientCertificateMode configuration value?

cc: @guardrex

[Tratcher]

This is something we'd considered (#4765) but were waiting to see if anybody needed it.

[javs-ctr]

Greetings Tratcher, thank you for linking to the issue regarding the reading of additional KestrelServerOptions from configuration. If only I had found that issue before polluting the AspNetCore issues list with two redundant issues.

Anyway, to be honest, configuring ClientCertificateMode would be a "nice to have" / want, rather than a need. Configuring this Kestrel server option in the Program.cs CreateHostBuilder static method is not an issue. More for aesthetic / arbitrary reasons it would be nice to set it in something like an appsettings.Development.json file since the only instance where the client certificate mode needs to be configured for Kestrel is for local development, not in Staging or Production, as the web servers in those environments have no need to set the ClientCertificateMode Kestrel Server Option since those web servers are IIS and not Kestrel in my scenario.

Additionally, I would like to also +1 both mikkelblanne's comment and RehanSaeed's comment on issue #4765 noting their surprise when following the Kestrel documentation, expecting all Kestrel Server Options to be configurable from a configuration file, and finding out that only a subset of these options are configurable from a configuration file (reference ConfigurationReader.cs).

Unsolicited suggestion: Update the Kestrel web server implementation in ASP.NET Core document section Kestrel options that introduces the idea that Kestrel Server Options may be configured with a File Configuration Provider:

Kestrel options, which are configured in C# code in the following examples, can also be set using a configuration provider. For example, the File Configuration Provider can load Kestrel configuration from an appsettings.json or appsettings.{Environment}.json file:

with an additional note / reference to the ConfigurationReader class ConfigurationReader.cs, adding that not all Kestrel Server Options are configurable using a configuration file.

[guardrex]

an additional note / reference

I'll take care of that @javs-ctr. I'll re-open your original issue and work it from there. Instead of a reference source link, which is difficult for us to maintain release-to-release, I'll indicate that configuration shown in the example appsettings.json file in the topic's text encompasses all of the available settings that can be configured from a config provider (and I'll confirm that that's actually the case when I work the issue or else add missing keys).

[Tratcher]

Anyway, to be honest, configuring ClientCertificateMode would be a "nice to have" / want, rather than a need.

It's a legitimate ask, and a relative easy property to map from config.

[kuns200]

looks interesting to me. Can I pick this one up?

[Tratcher]

@kuns200 feel free.

[kamranayub]

Came here looking for the same information in the docs and see there's an open PR, hope to see this!

In my case, I actualy only want ClientCertificate auth in Production because I am using Cloudflare's Authenticated Origin Pulls which requires a client certificate.

Authenticated Origin Pulls let origin web servers strongly validate that a web request is coming from Cloudflare. We use TLS client certificate authentication, a feature supported by most web servers, and present a Cloudflare certificate when establishing a connection between Cloudflare and the origin server. By validating this certificate in origin server configuration, access can be limited to Cloudflare connections.

I need a way to only apply this setting in Production and I was leaning on appSettings as the easiest way to do that. I don't think it's a showstopper to check for environment but it's not as easy as env.IsProduction() I did find a one-liner to get env back 👍

.ConfigureKestrel(options =>
{
    var env = options.ApplicationServices.GetRequiredService<IWebHostEnvironment>();
    if (env.IsProduction())
    {
        options.ConfigureHttpsDefaults(opt =>
            opt.ClientCertificateMode =
                ClientCertificateMode.RequireCertificate);
    }
})