DEVHIDE
Login Or Sign up

How do Azure Function Apps handle Client Certificate Auth?

2.2k Views Asked by At

Hopefully I can make this clear enough.

Goal:

  • Client Certificate-Authenticated Azure Function

Scenario:

  • Azure Function App with:

    • HTTPS Only: set to Yes
    • Client certificate mode: set to Require

  • HTTP-triggered Azure Function (Python) which:

    • Loads client certificate from X-ARR-ClientCert header
    • Pulls a pre-shared client cert from a database and compares:
      • Issuer
      • CommonName
      • Not Valid Before/After
    • Hits the listed OCSP endpoint to see if cert is revoked

  • If properties from each cert match and the certificate has not been revoked, the Function will generate a SAS token for the requestor and send it in the response.

Question:

  • How is the cryptographic part of client cert auth handled in this scenario?
  • According to this (great) blog post, there is a CertificateVerify step where...

"The client is authenticated by using its private key to sign a hash of all the messages up to this point. The recipient verifies the signature using the public key of the signer, thus ensuring it was signed with the client’s private key."

I don't see a way to access ...all the messages up to this point. to validate this has occured using the Function (Python) code.

Is this something Microsoft handles automagically (similar to how they forward client certs via the X-ARR-ClientCert header)? Or is this not possible?

ssl azure-functions client-certificates azure-function-app mutual-authentication
Original Q&A
1

There are 1 best solutions below

3
On

From what I implemented in a similar case:

  • Your app received the certificate via the header and must:
    • load the certificate (using the library cryptography in python for example)
    • verify the signature of the certificate with you certificate authority
    • verify the date of validity
    • verify that it has not been revoked
  • Using web app (but the same would apply to functions), the Azure frontend seems to just launch authentication protocol to verify that the client that send the certificate has the private key associated (and launch the mutual auth protocol as described in the blog post). But it does not verify the validity or signature of the certificate.

The CertificateVerify step you're mentionning seems to be handled by the Azure Frontend, I don't think your need to worry about this process.

Hopes this helps !

Related Questions in SSL

Related Questions in AZURE-FUNCTIONS

Related Questions in CLIENT-CERTIFICATES

Related Questions in AZURE-FUNCTION-APP

Related Questions in MUTUAL-AUTHENTICATION

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.