mTLS using Azure Function HTTP Trigger?

2.6k views Asked by At

I'm working at building an auth token server using a Python Azure Function with HTTP trigger. The goal is to use mutual TLS (mTLS) authentication.

The way it will work:

  1. Client sends http request to Function endpoint with two headers:
  • requestor-id : an identifier used for lookups
  • X-ARR-ClientCert : a string representation of their .pem certificate
  1. The Function will look in a database where requestor's .pem has been previously shared
  2. Using pyOpenSSL, the Function will load the two .pem files and compare the request cert and the retrieved certs:
  • not_valid_before/after dates
  • common name
  • issuer
  • thumbprint
  1. If each property of the certs match, the Function will respond with an auth token for use in a downstream data call

My question is:

  • This isn't really "mutual" as the server hosting the Function code is not presenting its certificate anywhere (visible) in the handshake.
  • Is the server side of mTLS handshake configured elsewhere or does it "just work" because the Function endpoint is https out of the box?
1

There are 1 answers

2
Jim Xu On BEST ANSWER

If you want to mutual TLS (mTLS) authentication in Azure function app, you just need to enable client certificates. After doing that, Function App Service injects an X-ARR-ClientCert request header with the client certificate. Function App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate. FOr more details, please refer to here and here