Azure Api Management | ADB2C | Custom API

Question

Azure Api Management | ADB2C | Custom API

Abhay Chandramouli 1,061

Hi,
I was going through this document, https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy#https-client-certificate-authentication.

The API being called is from Azure APIM. I need to know the correct way to validate the client certificate using policies in apim.

Please suggest.

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

JananiRamesh-MSFT 29,446 Moderator

@Abhay Chandramouli Thanks for reaching out. To validate a client certificate using policies in APIM, you can use the validate-client-certificate policy. This policy enforces that a certificate presented by a client to an APIM instance matches specified validation rules and claims such as subject or issuer for one or more certificate identities.

For more information please refer:

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients#policy-to-validate-client-certificates

https://learn.microsoft.com/en-us/azure/api-management/validate-client-certificate-policy

let me know incase of further queries, I would be happy to assist you.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Abhay Chandramouli 1,061 Reputation points

2023-11-03T10:54:27.7933333+00:00
Hi @JananiRamesh-MSFT ,

Thanks for the quick response, I hope the answer is relevant even if the api is called via ADB2C custom policies ?

Also which is the correct method ?

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients#policy-to-validate-client-certificates

https://learn.microsoft.com/en-us/azure/api-management/validate-client-certificate-policy

Thanks again
JananiRamesh-MSFT 29,446 Reputation points Moderator

2023-11-03T11:27:21.6733333+00:00

@Abhay Chandramouli Thanks for getting back,

Yes, the process of validating client certificates in APIM is still applicable even if the API is being called via Azure AD B2C custom policies.

When you secure an API in Azure API Management with Azure AD B2C, you're essentially restricting access to your Azure API Management API to clients that have authenticated with Azure Active Directory B2C (Azure AD B2C). This means that only those requests that include a valid Azure AD B2C-issued access token are allowed.

In addition to this, you can use the validate-client-certificate policy in APIM to enforce that a certificate presented by a client. This provides an additional layer of security by ensuring that the client not only presents a valid access token, but also a valid client certificate.

So, even if the API is being called via Azure AD B2C custom policies, you can still validate client certificates using policies in APIM.

1st document provides high-level overview of how to use the validate-client-certificate policy 2nd includes a basic example of how to use the policy.

let me know incase of further queries, I would be happy to assist you.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Share via

Azure Api Management | ADB2C | Custom API

0 additional answers

Your answer