Refit and mutual TLS authentication

[cguevara1970]

Hello and thanks in advance for any help anyone can provide.

We have used refit from a XamarinForms app successfully connecting to ASP.NET WebApi (not .net core). This has been working successfully for over 2 years. Our client now is requesting that we use mutual TLS authentication, or in other words that we requiere the client to have a digital certificate as well and check it before connecting.

Has anyone found a way to do this using refit? Do I have to use the httpclient component of refit? Is that available on Xamarin Forms? Or would I need to drop down to httpClient proper and rewrite all our refit code?

Thanks again.

[glennawatson]

You do not need to drop Refit. Mutual TLS is configured on the HttpClientHandler that backs the HttpClient, and Refit just sits on top of that client. So attach your client certificate to the handler and hand the resulting HttpClient to Refit:

var handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.ClientCertificates.Add(new X509Certificate2("client.pfx", "password"));

var client = new HttpClient(handler) { BaseAddress = new Uri("https://api.example.com") };
var api = RestService.For<IMyApi>(client);

With HttpClientFactory:

services.AddRefitClient<IMyApi>()
    .ConfigureHttpClient(c => c.BaseAddress = new Uri("https://api.example.com"))
    .ConfigurePrimaryHttpMessageHandler(() =>
    {
        var h = new HttpClientHandler();
        h.ClientCertificates.Add(new X509Certificate2("client.pfx", "password"));
        return h;
    });

None of your Refit interface code changes - mTLS is purely a transport concern on the primary handler. On Xamarin.Forms HttpClientHandler with client certificates is supported on the platform handlers, so this works there too (note Xamarin.Forms is end of life; the same approach applies on MAUI/.NET).