jdelforno
commented
4 years ago I was actually extremely surprised when I came across this and was expecting to see mutual auth handled as part of the App Service itself, making it configurable via ARM template and there by easily transferable everywhere.
stuartleeks
What problem would the feature you're requesting solve? Please describe.
Today, validation of a client cert as part of TLS mutual auth needs to be handled by App Code. This is in part due to the fact that SSL termination happens on the frontends in the hosted service. Details of what a user is expected to do in a web app context can be found here: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
However, this is much worse in Functions, because each function would have to kick off this validation logic, and the lack of enforcement there means a function could be created which doesn't properly perform the validation. Security measures such as this should be express-once and attestable.
Describe the solution you'd like
Similar to other host.json configuration options for global HTTP behavior, I would want to be able to set some parameters for basic validation of the thumbprint, signature, issuer, expiration, etc.
It would also be necessary to specify how the cert is obtained for validation. For example, in the App Service platform it is passed as the X-ARR-ClientCert header.
Describe alternatives you've considered
Global function filters would provide a means to address this but are not supported. A platform feature would also work (and cover a broader range of scenarios), but no such plans are publicly available. That also wouldn't help for alternative hosting contexts.
Additional context
https://feedback.azure.com/forums/355860-azure-functions/suggestions/39834901-client-cert-authentication-support-in-azure-functi