I'm working at building an auth token server using a Python Azure Function with HTTP trigger. The goal is to use mutual TLS (mTLS) authentication.
The way it will work:
- Client sends http request to Function endpoint with two headers:
requestor-id
: an identifier used for lookupsX-ARR-ClientCert
: a string representation of their.pem
certificate
- The Function will look in a database where requestor's
.pem
has been previously shared - Using
pyOpenSSL
, the Function will load the two.pem
files and compare the request cert and the retrieved certs:
not_valid_before/after
datescommon name
issuer
thumbprint
- If each property of the certs match, the Function will respond with an auth token for use in a downstream data call
My question is:
- This isn't really "mutual" as the server hosting the Function code is not presenting its certificate anywhere (visible) in the handshake.
- Is the server side of mTLS handshake configured elsewhere or does it "just work" because the Function endpoint is https out of the box?
If you want to mutual TLS (mTLS) authentication in Azure function app, you just need to enable client certificates. After doing that, Function App Service injects an
X-ARR-ClientCert
request header with the client certificate. Function App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate. FOr more details, please refer to here and here