Hopefully I can make this clear enough.
Goal:
- Client Certificate-Authenticated Azure Function
Scenario:
Azure Function App with:
HTTPS Only:
set toYes
Client certificate mode:
set toRequire
HTTP-triggered Azure Function (Python) which:
- Loads client certificate from
X-ARR-ClientCert
header - Pulls a pre-shared client cert from a database and compares:
- Issuer
- CommonName
- Not Valid Before/After
- Hits the listed OCSP endpoint to see if cert is revoked
- Loads client certificate from
If properties from each cert match and the certificate has not been revoked, the Function will generate a SAS token for the requestor and send it in the response.
Question:
- How is the cryptographic part of client cert auth handled in this scenario?
- According to this (great) blog post, there is a
CertificateVerify
step where...
"The client is authenticated by using its private key to sign a
hash of all the messages up to this point. The recipient verifies
the signature using the public key of the signer, thus ensuring it
was signed with the client’s private key."
I don't see a way to access ...all the messages up to this point.
to validate this has occured using the Function (Python) code.
Is this something Microsoft handles automagically (similar to how they forward client certs via the X-ARR-ClientCert
header)? Or is this not possible?
From what I implemented in a similar case:
The CertificateVerify step you're mentionning seems to be handled by the Azure Frontend, I don't think your need to worry about this process.
Hopes this helps !