1

I'm working at building an auth token server using a Python Azure Function with HTTP trigger. The goal is to use mutual TLS (mTLS) authentication.

The way it will work:

  1. Client sends http request to Function endpoint with two headers:
  • requestor-id : an identifier used for lookups
  • X-ARR-ClientCert : a string representation of their .pem certificate
  1. The Function will look in a database where requestor's .pem has been previously shared
  2. Using pyOpenSSL, the Function will load the two .pem files and compare the request cert and the retrieved certs:
  • not_valid_before/after dates
  • common name
  • issuer
  • thumbprint
  1. If each property of the certs match, the Function will respond with an auth token for use in a downstream data call

My question is:

  • This isn't really "mutual" as the server hosting the Function code is not presenting its certificate anywhere (visible) in the handshake.
  • Is the server side of mTLS handshake configured elsewhere or does it "just work" because the Function endpoint is https out of the box?
Improve this question

1 Answer 1

Reset to default
4

If you want to mutual TLS (mTLS) authentication in Azure function app, you just need to enable client certificates. After doing that, Function App Service injects an X-ARR-ClientCert request header with the client certificate. Function App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate. FOr more details, please refer to here and here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you @JimXu. I'm stuck at how to access the X-ARR-ClientCert header using Python Function code. There are a few examples of C#, but not one have I found for using Python. Do you know how this header is accessed?
Disregard. @krishg helped me over here.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.