Share via

Optional mTLS / client authentication

Toni Arte 20 Reputation points
2024-03-08T10:56:37.9033333+00:00

Is it possible to configure Azure Application Gateway to support OPTIONAL client certificates when using mTLS?

What I'm looking for is something similar to this nginx-ingress definition:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/{{ .Values.x509_root_ca.name }}-ca-tls"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" #"on"
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"

I.e. way to tell the Application Gateway to request, but not require, a client certificate and forward the certificate to the backend pool.

The use case would be Keycloak, with optional X.509 smartcard authentication.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,014 questions
Accepted answer
  1. ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee
    2024-03-08T16:28:33.9+00:00

    @Toni Arte

    I got a response back from the team.

    Is it possible to configure Azure Application Gateway to support OPTIONAL client certificates when using mTLS?

    Currently this is not supported. The team is aware of this feature request but currently there is no fixed ETA available on when this feature will be rolled out.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest