How can I reject the request if no certificate is supplied?

[rudeGit]

I would like to reject the request if a certificate is not supplied or an invalid one is supplied.

The code in its current form was not rejecting the request when certificate is supplied. So I modified it to following:

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        var certificate = Context.Connection.ClientCertificate;
        if (certificate != null && certificate.Verify())
        {
            // Do stuff
            return AuthenticateResult.Success(ticket);
        }

        return AuthenticateResult.Fail("No cert found!");
    }

But the request still ends up in the controller. I also modified the Startup::ConfigureServices() method to set the options.DefaultForbidScheme property. I also tried to remove the IAuthenticationSchemeProvider implementation provided by MVC.

Not really sure what else to do here. How do I need to modify this code so that request is rejected when desired authentication fails?

[xavierjohn]

If you want to force the user supply a certificate, you can change the following setting.

ClientCertificateMode = ClientCertificateMode.AllowCertificate, to ClientCertificateMode = ClientCertificateMode.RequireCertificate

Either way, if your configuration is correct, the request should not end up in your controller. In my demo, irrespective of the above setting, you will not be able to hit the controller method without the correct cert.