Mutual TLS (SSL)¶

Mutual TSL support in IdentityServer allows for two features:

Client authentication to IdentityServer endpoints using a TLS X.509 client certificate.
Binding of access tokens to clients using a TLS X.509 client certificate.

You can see more information on how to configure this in: Mutual TLS

IdentityServer Setup¶

In IdentityServer, the mutual TLS endpoints, can be configured in three ways (assuming IdentityServer is running on https://identityserver.io):

path-based - endpoints located beneath the path ~/connect/mutual-lts, e.g. https://identityserver.io/connect/mtls/token.
sub-domain based - endpoints are on a sub-domain of the main server, e.g. https://mtls.identityserver.io/connect/token.
domain-based - endpoints are on a different domain, e.g. https://identityserver-mtls.io.

For example:

C#
var builder = services.AddIdentityServer(options =>
{
    options.MutualTls.Enabled = true;
    options.MutualTls.ClientCertificateAuthenticationScheme = "Certificate";

    // uses sub-domain hosting
    options.MutualTls.DomainName = "mutual-lts";
});

Client Authentication¶

Clients can use a X.509 client certificate as an authentication mechanism to endpoints in IdentityServer.

For this you need to associate a client certificate with a client in IdentityServer. Use the IdentityServer builder to add the services to DI which contains a default implementation to do that either thumbprint or common-name based.