Reputation: 3428
MS Azure Resource Provider SDK - Authentication
I'm trying to implement the MS Azure authentication described here: https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication but the only thing stated there is:
You are responsible for verifying the caller's certificate thumbprint. Only accept calls from certificates that have the correct public key.
How to make it? Preferably in PHP. Thanks in advance.
Upvotes: 0
Views: 214
Answers (1)
Reputation: 2116
Per my understanding, the Resource Provider (RP) API is HTTP RESTful, and here is the certificate: https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/misc/AzureStoreLatest.cer that used by Azure to call your RP. To implement your RP authentication that mentioned on https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication, you can leverage verifying the certificate which sent from requests to your RP. Based on my experience, usually we check Serial number or Thumbprint of a certificate to verify its authorization, the official samples which are published at https://github.com/Azure/azure-resource-provider-sdk/tree/master/samples using the same way for certificate verification. E.g. below is a C# version of AuthorizeRequest for your reference:
public static bool AuthorizeRequest(X509Certificate2 clientCertificate)
{
if (ConfigurationDataProvider.AzureStoreRequestAuthorization)
{
if (clientCertificate == null || (
// BaltimoreRdfeExtensibilityClientProd.cer, will expire on Saturday, February 14, 2015
!clientCertificate.Thumbprint.Equals("F2693F8487AB975A28C19610A672E59DDCF873F2", StringComparison.OrdinalIgnoreCase) &&
// BaltimoreRdfeExtensibilityClientStage.cer, will expire on Saturday, February 14, 2015
!clientCertificate.Thumbprint.Equals("19D02B07DEC22C0998BB266A7DA5BA8B4D42A0A6", StringComparison.OrdinalIgnoreCase)
))
{
Logger.ErrorFormat(
format : "Unauthorized access to Azure Store integration endpoints: {0}, {1}",
arg0 : clientCertificate != null ? clientCertificate.Subject : "<null>",
arg1 : clientCertificate != null ? clientCertificate.Thumbprint : "<null>"
);
return false;
}
}
return true;
}
In PHP & OpenSSL, we can leverage SSL_CLIENT_M_SERIAL variable: http://pilif.github.io/2013/07/how-to-accept-ssl-client-certificates/ to get serial of the client certificate, then check if the value equals to the Serial number of AzureStoreLatest.cer. (you can hard code the Serial number in your code, just like above C# sample does)
I'd like to point out some concepts and tips for using RP API:
https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/concepts.md
https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/tips-and-tricks.md
If you have any further concern during implementation, please feel free to let us know and provide more info about what you have tried.
Upvotes: 1
Related Questions
- Authenticate a PHP application using Azure Active Directory connection
- PHP Access to Private Azure Storage Container
- How to authenticate to DevOps API using php
- Authenticating with Azure SDK for .Net ResourceManagementClient
- PHP Azure Active Directory API Access using Client Credentials (X.509 certificate)
- Azure Authentication Mechanism
- Azure API - PHP Request
- AD / Windows authentication on Azure
- Shared Access Signatures in new PHP SDK
- creating certificate for windows azure deployment with PHP Zend - Failed to download RDP file for instance