Azure Functions - Configure client certificate authentication

Luis Delgado picture Luis Delgado · Apr 6, 2018 · Viewed 7.3k times · Source

Do functions support authorizing access to a Function by using client certificates, in a consumption plan? Something similar to the approach described here? Basically, I'm looking for the Functions runtime to immediately reject connection requests if the caller does not present a valid client certificate, without me having to implement that authorization routine in the code.

Answer

Bruce Chen picture Bruce Chen · Apr 6, 2018

Based on your requirement, I created my C# HttpTrigger function to check this issue, here is the core code:

if(req.Headers.Contains("X-ARR-ClientCert")) 
{   
    byte[] clientCertBytes = Convert.FromBase64String(req.Headers.GetValues("X-ARR-ClientCert").FirstOrDefault());
    var clientCert = new X509Certificate2(clientCertBytes);
    return req.CreateResponse(HttpStatusCode.OK,"Thumbprint: "+clientCert.Thumbprint);
}
return req.CreateResponse(HttpStatusCode.OK, "Hello world");

For App Service Plan, the function could work as follows:

enter image description here

Per my test, the function could also work as expected under the consumption plan.

You could follow How To Configure TLS Mutual Authentication for Web App or just log into Azure Portal and go to your function app, click "NETWORKIING > SSL" under Platform fetures tab, then enable Incoming client certificate option.