Function apps should have Client Certificates (incoming client certificates) enabled

JKFrancis 31 Reputation points
2022-02-01T22:20:04.853+00:00

How would this affect a function app, will the existing users be needing special kind of privileges to access these apps or any system that is using needs special privileges to access this apps.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
2,785 questions
{count} votes

1 answer

Sort by: Most helpful
  1. MayankBargali-MSFT 52,606 Reputation points
    2022-02-02T06:43:17.45+00:00

    @JKFrancis Thanks for reaching out. In app service or function app when you update the configuration of Incoming client certificates the app service injects an X-ARR-ClientCert request header with the client certificate. App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate as documented here.

    So in case if function app/app service you need to write your own code to validate the client certificate. Until and unless you are not writing any code for the validation it should work without passing the client certificate and right authentication.

    For reference, you can create an HTTP trigger function app and call this function in other functions to validate if the certificate is valid or not. You can modify it as per your requirement.

    [FunctionName("ValidateCertAuth")]  
    public IActionResult RandomStringCertAuth(  
        [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req)  
    {  
        _log.LogInformation("C# HTTP trigger to validate the certificate.");  
       
        StringValues cert;  
        if (req.Headers.TryGetValue("X-ARR-ClientCert", out cert ))  
        {  
            byte[] clientCertBytes = Convert.FromBase64String(cert[0]);  
            X509Certificate2 clientCert = new X509Certificate2(clientCertBytes);  
       
            // Validate Thumbprint  
            if (clientCert.Thumbprint != "yourthumprint")  
            {  
                return new BadRequestObjectResult("A valid client certificate is not used");  
            }  
       
            // Validate NotBefore and NotAfter  
            if (DateTime.Compare(DateTime.UtcNow, clientCert.NotBefore) < 0  
                        || DateTime.Compare(DateTime.UtcNow, clientCert.NotAfter) > 0)  
            {  
                return new BadRequestObjectResult("client certificate not in alllowed time interval");  
            }  
       
            // Add further validation of certificate as required.  
       
            return new OkObjectResult(GetEncodedRandomString());  
        }  
       
        return new BadRequestObjectResult("A valid client certificate is not found");              
    }