@JKFrancis Thanks for reaching out. In app service or function app when you update the configuration of Incoming client certificates
the app service injects an X-ARR-ClientCert
request header with the client certificate. App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate as documented here.
So in case if function app/app service you need to write your own code to validate the client certificate. Until and unless you are not writing any code for the validation it should work without passing the client certificate and right authentication.
For reference, you can create an HTTP trigger function app and call this function in other functions to validate if the certificate is valid or not. You can modify it as per your requirement.
[FunctionName("ValidateCertAuth")]
public IActionResult RandomStringCertAuth(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req)
{
_log.LogInformation("C# HTTP trigger to validate the certificate.");
StringValues cert;
if (req.Headers.TryGetValue("X-ARR-ClientCert", out cert ))
{
byte[] clientCertBytes = Convert.FromBase64String(cert[0]);
X509Certificate2 clientCert = new X509Certificate2(clientCertBytes);
// Validate Thumbprint
if (clientCert.Thumbprint != "yourthumprint")
{
return new BadRequestObjectResult("A valid client certificate is not used");
}
// Validate NotBefore and NotAfter
if (DateTime.Compare(DateTime.UtcNow, clientCert.NotBefore) < 0
|| DateTime.Compare(DateTime.UtcNow, clientCert.NotAfter) > 0)
{
return new BadRequestObjectResult("client certificate not in alllowed time interval");
}
// Add further validation of certificate as required.
return new OkObjectResult(GetEncodedRandomString());
}
return new BadRequestObjectResult("A valid client certificate is not found");
}