[BUG] API Management Inbound Processing authentication-certificate validation issue

Question

I encountered an issue with the frontend validation of the authentication-certificate element in the Inbound Processing code editor.

Normally, when you use an invalid certificate-id property on the authentication-certificate element and try to save, it triggers a validation error:

One or more fields contain incorrect values:

• Error in element 'authentication-certificate' on line 5, column 10: Certificate 'sdfsdf' could not be resolved.

However, the validation is not triggered for differences in casing (case insensitive). The issue here is that it appears that the actual usage of the policy is case sensitive and silently fails to include the certificate in the requests to the target API.

Should be easy to reproduce. Add a certificate to an APIM instance, e.g. "examplecertificate" and save an Inbound Processing policy with a different casing:

<authentication-certificate certificate-id="ExampleCertificate" />

Confirm that the client certificate is not sent with requests.

Answer 1

Sam Best I am able to reproduce this issue at my end. When saving certificate-id in the authentication-certificate policy, currently validation does allow certificate-id value to be saved in a case insensitive way. However, while executing the policy it fails with the below error (can be found in trace):

This is definitely a bug, and we will fix it in the upcoming releases. Thanks again for reporting this bug. Please let me know if you have any questions.

---

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.