@@ -1267,12 +1267,12 @@ appsettings.json:
12671267 "Client": {
12681268- "AuthDomain": "http://localhost:8080",
12691269+ "Authority": "http://localhost:8080/uaa",
1270- "CallbackPath": "/signin-oidc",
1271- "ClientId": "steeltoesamplesclient",
1272- "ClientSecret": "client_secret",
12731270+ "MetadataAddress": "http://localhost:8080/.well-known/openid-configuration",
12741271+ "RequireHttpsMetadata": false,
1275- + "AdditionalScopes": "sampleapi.read"
1272+ + "AdditionalScopes": "sampleapi.read",
1273+ "CallbackPath": "/signin-oidc",
1274+ "ClientId": "steeltoesamplesclient",
1275+ "ClientSecret": "client_secret"
12761276 }
12771277 }
12781278 }
@@ -1345,9 +1345,9 @@ appsettings.json:
13451345- "ClientId": "steeltoesamplesclient",
13461346- "ClientSecret": "client_secret",
13471347- "MetadataAddress": "http://localhost:8080/.well-known/openid-configuration",
1348- - "AdditionalScopes ": "sampleapi.read" ,
1348+ - "RequireHttpsMetadata ": false ,
13491349- "SaveTokens": true,
1350- - "RequireHttpsMetadata ": false
1350+ - "AdditionalScopes ": "sampleapi.read"
13511351- }
13521352- }
13531353- }
@@ -1531,9 +1531,9 @@ var builder = WebApplication.CreateBuilder(args);
15311531- builder.Configuration.AddCloudFoundryContainerIdentity(orgId, spaceId);
15321532+ builder.Configuration.AddAppInstanceIdentityCertificate(new Guid(orgId), new Guid(spaceId));
15331533
1534- - builder.Services.AddCloudFoundryCertificateAuth(options => options.CertificateHeader = "X-Client-Cert");
1534+ - builder.Services.AddCloudFoundryCertificateAuth(options => options.CertificateHeader = "X-Forwarded- Client-Cert");
15351535+ builder.Services.AddAuthentication().AddCertificate();
1536- + builder.Services.AddAuthorizationBuilder().AddOrgAndSpacePolicies();
1536+ + builder.Services.AddAuthorizationBuilder().AddOrgAndSpacePolicies("X-Forwarded-Client-Cert" );
15371537
15381538var app = builder.Build();
15391539
@@ -1558,6 +1558,24 @@ app.MapGet("/sameSpace", async httpContext =>
15581558+ .RequireAuthorization(CertificateAuthorizationPolicies.SameSpace);
15591559```
15601560
1561+ > [ !NOTE]
1562+ > Prior to Steeltoe 3.3.0, Steeltoe Certificate Auth used the header ` X-Forwarded-Client-Cert ` , which was not configurable.
1563+ > The code shown above is provided for compatibility between the versions. The preferred header name is ` X-Client-Cert ` .
1564+ > In Steeltoe 4.0, the default header is ` X-Client-Cert ` , so the parameter can be omitted if cross-compatibility is not required.
1565+
1566+ launchsettings.json (server-side):
1567+
1568+ ``` diff
1569+ {
1570+ "profiles": {
1571+ "http": {
1572+ "commandName": "Project",
1573+ "applicationUrl": "https://+:7107" // bind to all host names and IP addresses
1574+ }
1575+ }
1576+ }
1577+ ```
1578+
15611579Program.cs (client-side):
15621580
15631581``` diff
@@ -1579,13 +1597,13 @@ var builder = WebApplication.CreateBuilder(args);
15791597builder.Services
15801598- .AddHttpClient<PingClient>((services, client) =>
15811599- {
1582- - client.BaseAddress = new Uri("http ://example-service/ ")
1600+ - client.BaseAddress = new Uri("https ://localhost:7107 ")
15831601- var options = services.GetRequiredService<IOptions<CertificateOptions>>();
15841602- var b64 = Convert.ToBase64String(options.Value.Certificate.Export(X509ContentType.Cert));
1585- - client.DefaultRequestHeaders.Add("X-Client-Cert", b64);
1603+ - client.DefaultRequestHeaders.Add("X-Forwarded- Client-Cert", b64);
15861604- });
1587- + .AddHttpClient<PingClient>(httpClient => httpClient.BaseAddress = new Uri("http ://example-service/ "))
1588- + .AddAppInstanceIdentityCertificate();
1605+ + .AddHttpClient<PingClient>(httpClient => httpClient.BaseAddress = new Uri("https ://localhost:7107 "))
1606+ + .AddAppInstanceIdentityCertificate("X-Forwarded-Client-Cert" );
15891607
15901608var app = builder.Build();
15911609
@@ -1604,6 +1622,11 @@ public class PingClient(HttpClient httpClient)
16041622}
16051623```
16061624
1625+ > [ !NOTE]
1626+ > Prior to Steeltoe 3.3.0, Steeltoe Certificate Auth used the header ` X-Forwarded-Client-Cert ` , which was not configurable.
1627+ > The code shown above is provided for compatibility between the versions. The preferred header name is ` X-Client-Cert ` .
1628+ > In Steeltoe 4.0, the default header is ` X-Client-Cert ` , so the parameter can be omitted if cross-compatibility is not required.
1629+
16071630### DataProtection Key Store using Redis/Valkey
16081631
16091632``` diff
0 commit comments