Reputation: 335
Azure APIM: sending client certificate to backend for authentication
We have an APIM which forwards requests to different backend servers based on different policies. I want to restrict requests to backend servers to only come from that APIM (and no other entity). Two options at hand were:
- IP filtering at backend-servers to accept requests only if they come from APIM IP addresses - don't want to go down this path since APIM IP addresses can change and its a hassle to keep the list updated.
- A client-certificate authentication mechanism - APIM will send a certificate which can then be verified by backend-server.
What I haven't been able to understand is how does APIM send the certificate? Is the certificate sent in a HTTP header or is the certificate sent in the TLS layer below HTTP?
Asking this because: I am looking for a way to not mandate backend servers to do APIM certificate authentication; i.e. APIM should send the certificate but what different backend-server's do with it, is up to them (they may choose to verify the client certificate or just allow the request without verification). For this to work, my understanding is that its best to send client-certificate from APIM as part of a custom header. If the authentication-certificate policy in APIM sends the certificate in the TLS layer, then its not necessary that the certificate will reach the backend server's application logic. For instance, in the case where the backend is a Azure app web service, then the TLS termination happens at a frontend load balancer which then forwards the certificate to the app code in a custom header X-ARR-ClientCert. Since I am dealing with different kinds of backend-servers (not only Azure App Service), sending the certificate in a custom header (which will make its way to app-code in the same header regardless of the backend server type) makes more sense.
Any thoughts on this approach and if my understanding is wrong on how client-certificates in APIM work?
Upvotes: 0
Views: 1784
Answers (1)
Reputation: 4001
I don't know whether this answer helps you. I did some investigation a few months back. As I understood inbound and outbound client certificates are handled on TLS level and only some primitives in Azure e.g. Front Door, Application Gateway or App Service can bring up the client certificate from TLS level into a HTTP header to be processed by a backend. As this solution was not universal enough for my case and one 3rd party backend was limited anyway, I designed towards server-to-server certificates.
Upvotes: 1
Related Questions
- Azure APIM - how to validate client certificate using context.Request.Certificate.Verify()
- Client Certificate is not being passed on by Azure Application Gateway
- client certificate validation on APIM
- Azure API - AUTHENTICATING APIS WITH A CLIENT CERTIFICATE + OAUTH 2.0
- API Management to forward client certificate
- Azure APIM: Send a client certificate with send-request mode
- api management client certificate authentication fails when values are not hard coded
- How to send a certificate as part of request using api management
- Azure API Management Service doesn't pass the client certificate in the header to the backend
- No certificate in X-ARR-ClientCert header when called from Azure API Management