This article shows how to use a downstream API protected with certificate authentication using Microsoft YARP reverse proxy from a Blazor application. The Blazor WASM HTTP requests are sent to a secured backend which uses YARP to forward the requests to the API protected with the certificate authentication. The Blazor application authenticates using the OpenIddict identity provider using the BFF security architecture. The downstream API which is protected using the certificate authentication is deployed to an Azure App Service and requires a known client certificate to use the API.
The application was built using the openiddict-samples and the Dantooine sample. Only small changes to the YARP configuration is required to implement the API calls. The dotnet template Blazor.BFF.OpenIDConnect.Template could also be used to setup the Blazor application. This pre-configures the BFF authentication and uses standard OpenID Connect.
The API protected using certificate authentication is implemented using the following code: AzureCertAuth. This application is deployed to the Azure App service and certificates are required to use the application. The server validates that the correct certificate is used to access the API.
The YARP reverse proxy is setup in the startup class and the app settings. The client certificate required for the downstream API, is loaded into the project using the X509Certificate2 class. This could be loaded from the operating system, or Azure key vault or some other secure way. The demo loads this directly in an unsecure way.
The AddReverseProxy method adds the YARP definitions and the ConfigureHttpClient method is used to add the SslOptions containing the client certificate which is used for the Azure API calls. The MapReverseProxy is used to add the endpoints and reads the configuration from the app settings.
// Create an authorization policy used by YARP when forwarding requests
// from the WASM application to the Dantooine.Api1 resource server.
services.AddAuthorization(options => options.AddPolicy(“CookieAuthenticationPolicy”, builder =>
var cert = new X509Certificate2(“client.pfx”, “1234”);
.ConfigureHttpClient((context, handler) =>
handler.SslOptions = new SslClientAuthenticationOptions
ClientCertificates = new X509CertificateCollection
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
The ReverseProxy add the configuration which is almost standard like the documentation. The CookieAuthenticationPolicy is used to accept only authenticated requests.
Blazor WASM is used to implement the UI which calls the YARP endpoint. The backend validates the HTTP requests for a secure cookie and a valid session and uses a client certificate to get the data from the Azure API. The Azure API validates the client certificate.