Azure App Service client side certificate exclusion path

Question

Similar to this and this, but I'm wondering if I can inverse the exclusion path? i.e. list the paths that require a client side cert. It's not practical to exclude all paths, because it's a lot.

Same for other services. If we have mixed client-side-cert required and none, do we always need to create separate services, e.g. App Service, Api Management etc. ? Sort of annoying

Answer 1

I don't believe there is a way to invert the exclusions paths on the Azure App Service. However, you can follow this workaround to have full flexibility of the paths that require a client certificate.

Answer 2

Currently this feature not available. Only one way to implement this that is Exclude paths from requiring authentication

Enable mutual auth for your application, all paths under the root of your app require a client certificate for access. To remove this requirement for certain paths, define exclusion paths as part of your application configuration.

1. From the left navigation of your app's management page, select Configuration > General Settings.

2. Next to Client exclusion paths, click the edit icon.

3. Click New path, specify a path, or a list of paths separated by , or ;, and click OK.

4. Click Save at the top of the page.

In the following screenshot, any path for your app that starts with /public does not request a client certificate. Path matching is case-insensitive.

If you required to add multiple exclusion paths please give a feedback here