Azure API Management- secure API through Client Certificate

时光怂恿深爱的人放手 提交于 2019-12-23 04:29:17

问题


I am testing authenticate against Client Certificate functionality with out of the box Echo API Get request, I have added a inbound rule to check the request has certificate

I am using self signed certificate, I have updated it under CA and client certificates

 <inbound>
        <choose>
            <when condition="@(context.Request.Certificate == null)">
                <return-response>
                    <set-status code="403" reason="Invalid client certificate"/>
                </return-response>
            </when>
        </choose>
        <base />
 </inbound>

In my client Application, I am using below code to make a call

public static void MakeAnAzureApiCall()
        {

            var url = @"https://xxxx.azure-api.net/echo/resource?param1=sample";

            var handler = new WebRequestHandler();
            handler.ClientCertificateOptions = ClientCertificateOption.Manual;

            SecureString sec = new SecureString();
            string pwd = "P@ssw0rd"; 
            pwd.ToCharArray().ToList().ForEach(sec.AppendChar);
            sec.MakeReadOnly();

            var cert =  new X509Certificate2(@"C:\temp\apim.pfx", sec, X509KeyStorageFlags.MachineKeySet);
                //X509Certificate2.CreateFromCertFile(@"C:\temp\apim1.cer");

            handler.ClientCertificates.Add(cert);



            var client = new HttpClient(handler);
            var request = new HttpRequestMessage(HttpMethod.Get, url);


            request.Headers.TryAddWithoutValidation("Ocp-Apim-Subscription-Key", "xxxxxxxxxxxxxxxxxx");

            var response = client.SendAsync(request).Result;
            string responseString = response.Content.ReadAsStringAsync().Result;

        }

I am always getting 403 response from API management, looks like cert never received to APIM. Could any one know what I am doing wrong here?

EDIT -1 Here is the trace file from Azure

`

{  
       "traceId":"421658ba50fb480786757c8d7c22da48",
       "traceEntries":{  
          "inbound":[  
             {  
                "source":"api-inspector",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0002782",
                "data":{  
                   "request":{  
                      "method":"GET",
                      "url":"https://doddapim.azure-api.net/echo/resource?param1=sample",
                      "headers":[  
                         {  
                            "name":"Ocp-Apim-Subscription-Key",
                            "value":"e7f21197ef6f4628bdcde8f23394812d"
                         },
                         {  
                            "name":"Postman-Token",
                            "value":"c4f8ef9a-6428-4781-bf4a-e774145c14e9"
                         },
                         {  
                            "name":"X-Forwarded-For",
                            "value":"10.26.60.106"
                         },
                         {  
                            "name":"X-BlueCoat-Via",
                            "value":"ee27777141854371"
                         },
                         {  
                            "name":"Cache-Control",
                            "value":"no-cache"
                         },
                         {  
                            "name":"Connection",
                            "value":"Keep-Alive"
                         },
                         {  
                            "name":"Accept",
                            "value":"*/*"
                         },
                         {  
                            "name":"Accept-Encoding",
                            "value":"gzip,deflate"
                         },
                         {  
                            "name":"Host",
                            "value":"doddapim.azure-api.net"
                         },
                         {  
                            "name":"User-Agent",
                            "value":"PostmanRuntime/7.15.2"
                         }
                      ]
                   }
                }
             },
             {  
                "source":"api-inspector",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0002814",
                "data":{  
                   "configuration":{  
                      "api":{  
                         "from":"/echo",
                         "to":{  
                            "scheme":"http",
                            "host":"echoapi.cloudapp.net",
                            "port":80,
                            "path":"/api",
                            "queryString":"",
                            "query":{  

                            },
                            "isDefaultPort":true
                         },
                         "version":null,
                         "revision":"1"
                      },
                      "operation":{  
                         "method":"GET",
                         "uriTemplate":"/resource"
                      },
                      "user":"-",
                      "product":"-"
                   }
                }
             },
             {  
                "source":"cors",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0014853",
                "data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
             },
             {  
                "source":"cors",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0014872",
                "data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
             },
             {  
                "source":"client-certificate-handler",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0014961",
                "data":"Requesting client certificate because next handler requires access to it."
             },
             {  
                "source":"client-certificate-handler",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0017793",
                "data":"No client certificate received."
             },
             {  
                "source":"choose",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0017844",
                "data":{  
                   "message":"Expression was successfully evaluated.",
                   "expression":"context.Request.Certificate == null",
                   "value":true
                }
             },
             {  
                "source":"set-status",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0017909",
                "data":{  
                   "message":[  
                      "Response status code was set to 403",
                      "Response status reason was set to 'Invalid client certificate'"
                   ]
                }
             },
             {  
                "source":"return-response",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0017946",
                "data":{  
                   "message":"Return response was applied",
                   "response":{  
                      "status":{  
                         "code":"Forbidden",
                         "reason":"Invalid client certificate"
                      },
                      "headers":[  

                      ]
                   }
                }
             }
          ],
          "outbound":[  
             {  
                "source":"transfer-response",
                "timestamp":"2019-08-22T16:01:59.6691383Z",
                "elapsed":"00:00:00.0018163",
                "data":{  
                   "message":"Response headers have been sent to the caller."
                }
             }
          ]
       }
    }

`


回答1:


Finally, I figured it. Proxy is blocking the client from sending the certificate to the server. Nothing wrong with code or configuration.



来源:https://stackoverflow.com/questions/57498215/azure-api-management-secure-api-through-client-certificate

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!