API Management to forward client certificate

Question

I am trying to achieve the following the scenario but ending up as 403 response. Client -> sends Cert A -> API Management -> Forwards Cert A -> Backend API (Azure Api App) -> Authenticates the certificate.

Is there is a way to configure API management to forward the incoming certificate to the backend API? I tried various transformation policies on the incoming request but none of the options worked.

Please suggest.

Answer 1

With the new authentication-certificate policy (learn.microsoft.com) you may return the certificate as a byte[] coming from a separate send-request response-variable and use it as follows:

<authentication-certificate body="@(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))" password="optional-certificate-password" />

You could store the password as a secret named value or even get it from the KeyVault by using this snippet: github.com/Azure/api-management-policy-snippets

Answer 2

This is technically not possible since client certificate's private key is never transmitted over wire. So there is no way APIM could use it to authenticate to backend. Even more so since there is no affinity between client connection and backend connection in APIM. Your best option is to send client certificate information in a custom header. You can use ser-header policy to set it at APIM level along with policy expressions to extract client certificate information from request.