Is it OK to use certificate thumbprint to authenticate and uniquely identify user ? Below is use case I am trying to address :
I am planning to expose rest based end point which is expected to be consumed by WPF client based applications. Also client machine is expected to install X509 certificate created for new client as part of on-boarding process. Certificate thumbprint and user mapping is what I am planning to store securely at our end (say by using azure key vault)
Now whenever API service request is received - my authentication manager will extract certificate attached along with that http request and will use corresponding thumbprint to fetch user info from mapping store as stated above.
If no match is found - server will respond back with http 401 unauthorized status code.
I would like understand if there is any downside, loop hole or flaw in this entire user authentication process ?
Additional Info: Service is built using ASP.NET MVC application framework and is hosted on IIS.
Note: Please refrain from suggesting AAD/token based authentication - I already evaluated those options and decided to not go with that (not because of any technical challenge, but because of factors which I cannot explain here)
What you are suggesting is similar to certificate pinning. It highly depends on your client certificate management. Client certificates sometimes expire, sometime are lost/stolen and so on. If you can handle certificate replacement out of your web API and keep it in sync with internal database, it is enough reliable.
However, I would suggest to perform additional checks of the certificate (for example, UPN value in Subject Alternative Names extension) to reduce the chance of thumbprint collision (currently, Microsoft uses SHA1 for thumbprint calculations).