Optional mTLS / client authentication

Toni Arte 20 Reputation points
2024-03-08T10:56:37.9033333+00:00

Is it possible to configure Azure Application Gateway to support OPTIONAL client certificates when using mTLS?

What I'm looking for is something similar to this nginx-ingress definition:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/{{ .Values.x509_root_ca.name }}-ca-tls"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" #"on"
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"

I.e. way to tell the Application Gateway to request, but not require, a client certificate and forward the certificate to the backend pool.

The use case would be Keycloak, with optional X.509 smartcard authentication.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
955 questions
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 22,311 Reputation points Microsoft Employee
    2024-03-08T16:28:33.9+00:00

    @Toni Arte

    I got a response back from the team.

    Is it possible to configure Azure Application Gateway to support OPTIONAL client certificates when using mTLS?

    Currently this is not supported. The team is aware of this feature request but currently there is no fixed ETA available on when this feature will be rolled out.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    0 comments No comments

0 additional answers

Sort by: Most helpful