Support optional client certificates for TLS mutual auth
Client certificat optional
In IIS the client certificat may be:
- accepted (certificat optional)
- asked (certificat mandatory)
But on app service it can't be "accepted".
We have added the ability to define exclusion paths for cert based authentication.
You can find this under:
Configuration> General settings > Incoming Client Certificate> Certificate exclusion paths
Blog and docs should follow shortly
Justin Dao commented
I agree with Fabrizio below - I'm trying to implement both Cert Auth and AAD Auth on the same endpoint, but it is proving to be difficult with App Service.
I don't understand why the default is for App Service to filter out the client cert. I feel like there should be an option we can enable such that App Service does not override any client certificate functionality, and just allow the host to handle the cert.
@Microsoft You should extend your implementation. Two points:
- instead of exclusion paths you should give inclusion paths. Often default url, like home page and others, do not require client certificate. It would be very useful to have a "certificate inclustion paths".
- the original request was about implementing a behavior like IIS: ignore, accept, require. Please, reconsider your solution to implement exactly that. Many time the same endpoint, like an API, can accept a client certificate but even a JWT instead of the certificate. Your solution force me to create 2 differnt endpoint and play with "certification exlustion paths". Very nasty.
Marius Bancila commented
So where is the documentation for this feature? What is the form of an exclusion path? Do we have to guess it until we get it right?
Brad Uhrich commented
I agree with @Wesley that defining exclusion paths is not feature parity with IIS's implementation.
The implementation should, for example, support a single endpoint that accepts a JWT token from a user when present OR a certificate from a service when present.
Nick Locke commented
Even if the URL entered by the user is in the exclude list, they still see a prompt for a certificate. At that point, they can either "cancel" to continue with no certificate, or choose a certificate.
I guess there is no way to prevent the prompt appearing (so assume no certificate) if the URL entered by the user is on the exclude list?
Sam Patton commented
How do I set the exclusion paths via template? I added an exclusion, and exported the template, but it's the same as the old one.
The proposed solution (defining exclusion paths) is not the feature that was asked for.
Is it possible to replicate the same behaviour as was the case in IIS where you could set the client certificate setting to "Accepted"?
I am confused.
Cloud shell command: az webapp update --set clientCertEnabled=true --name AppServiceName --resource-group ResourceGoupName
and Incoming client certificates/Require incoming certificate is the same feature?
In my application I need to add client certification authentication only for one controller. Should I select Require incoming certificate and add Certificate exclusion paths for all another controllers?
This is something we would implement right away, are there any plans to release this soon?
Martijn van Mechelen commented
Please implement this feature!
Any plans to implement this at some point?
Is there a technical limitation within Azure's landscape blocking this feature?
As such, including the current proposal, there appears to be no way to achieve tls negotiation with each client as here: https://blog.cloudflare.com/introducing-tls-client-auth/#handshakeswithtlsclientauth
@Amr This will work for us as well, thanks!
Wei Weng commented
@Amr. This will work! Would really like to have that.
@Amr, For us that would work too! We want to use certificates to secure a service.
Stian G-E commented
This would work great for us, we're supporting multiple authentication schemes (oauth2/cookie and client certificates (for service-to-service) on our public api) and we're having to jump through hoops to support that scenario in Azure as-is
@Amr, For us that would work! We want to use certificates to secure a service.
"What we can do is introduce an option that will forward a client certificate to the app from the FrontEnd if it finds one ... but the caveat with this is that you will not get any prompt for choosing a client certificate in browser like clients. If your clients happen to be code (like using System.Net.HttpWebRequest), then you can attach a client certificate to your initial request and that will be sent all the way to the application in this scenario.
Would something like this work for folks?"
This is an unacceptable solution, are there any updates?
Alexander Batishchev commented
Can you please update status on this feature . We need this as we want our API to accept both Certificate and AAD as authentication