Support optional client certificates for TLS mutual auth
Client certificat optional
In IIS the client certificat may be:
- accepted (certificat optional)
- asked (certificat mandatory)
But on app service it can't be "accepted".
We have added the ability to define exclusion paths for cert based authentication.
You can find this under:
Configuration> General settings > Incoming Client Certificate> Certificate exclusion paths
Blog and docs should follow shortly
Marius Bancila commented
So where is the documentation for this feature? What is the form of an exclusion path? Do we have to guess it until we get it right?
Brad Uhrich commented
I agree with @Wesley that defining exclusion paths is not feature parity with IIS's implementation.
The implementation should, for example, support a single endpoint that accepts a JWT token from a user when present OR a certificate from a service when present.
Nick Locke commented
Even if the URL entered by the user is in the exclude list, they still see a prompt for a certificate. At that point, they can either "cancel" to continue with no certificate, or choose a certificate.
I guess there is no way to prevent the prompt appearing (so assume no certificate) if the URL entered by the user is on the exclude list?
Sam Patton commented
How do I set the exclusion paths via template? I added an exclusion, and exported the template, but it's the same as the old one.
The proposed solution (defining exclusion paths) is not the feature that was asked for.
Is it possible to replicate the same behaviour as was the case in IIS where you could set the client certificate setting to "Accepted"?
I am confused.
Cloud shell command: az webapp update --set clientCertEnabled=true --name AppServiceName --resource-group ResourceGoupName
and Incoming client certificates/Require incoming certificate is the same feature?
In my application I need to add client certification authentication only for one controller. Should I select Require incoming certificate and add Certificate exclusion paths for all another controllers?
This is something we would implement right away, are there any plans to release this soon?
Martijn van Mechelen commented
Please implement this feature!
Any plans to implement this at some point?
Is there a technical limitation within Azure's landscape blocking this feature?
As such, including the current proposal, there appears to be no way to achieve tls negotiation with each client as here: https://blog.cloudflare.com/introducing-tls-client-auth/#handshakeswithtlsclientauth
@Amr This will work for us as well, thanks!
Wei Weng commented
@Amr. This will work! Would really like to have that.
@Amr, For us that would work too! We want to use certificates to secure a service.
Stian G-E commented
This would work great for us, we're supporting multiple authentication schemes (oauth2/cookie and client certificates (for service-to-service) on our public api) and we're having to jump through hoops to support that scenario in Azure as-is
@Amr, For us that would work! We want to use certificates to secure a service.
"What we can do is introduce an option that will forward a client certificate to the app from the FrontEnd if it finds one ... but the caveat with this is that you will not get any prompt for choosing a client certificate in browser like clients. If your clients happen to be code (like using System.Net.HttpWebRequest), then you can attach a client certificate to your initial request and that will be sent all the way to the application in this scenario.
Would something like this work for folks?"
This is an unacceptable solution, are there any updates?
Alexander Batishchev commented
Can you please update status on this feature . We need this as we want our API to accept both Certificate and AAD as authentication
Achim Kotremba commented
We also need this feature! It's the only thing preventing us to use Azure Web Apps for our use case.
Is there any new information about this feature?
Richard Barel commented
We also have an API with 'accepted' client certificates. Not all of our endpoints require the certificate... some are authenticated with Basic Auth. This is working in an AWS VM but need it to work in the Azure App Service Plan too.