问题
I am testing authenticate against Client Certificate functionality with out of the box Echo API Get request, I have added a inbound rule to check the request has certificate
I am using self signed certificate, I have updated it under CA and client certificates
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Invalid client certificate"/>
</return-response>
</when>
</choose>
<base />
</inbound>
In my client Application, I am using below code to make a call
public static void MakeAnAzureApiCall()
{
var url = @"https://xxxx.azure-api.net/echo/resource?param1=sample";
var handler = new WebRequestHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
SecureString sec = new SecureString();
string pwd = "P@ssw0rd";
pwd.ToCharArray().ToList().ForEach(sec.AppendChar);
sec.MakeReadOnly();
var cert = new X509Certificate2(@"C:\temp\apim.pfx", sec, X509KeyStorageFlags.MachineKeySet);
//X509Certificate2.CreateFromCertFile(@"C:\temp\apim1.cer");
handler.ClientCertificates.Add(cert);
var client = new HttpClient(handler);
var request = new HttpRequestMessage(HttpMethod.Get, url);
request.Headers.TryAddWithoutValidation("Ocp-Apim-Subscription-Key", "xxxxxxxxxxxxxxxxxx");
var response = client.SendAsync(request).Result;
string responseString = response.Content.ReadAsStringAsync().Result;
}
I am always getting 403 response from API management, looks like cert never received to APIM. Could any one know what I am doing wrong here?
EDIT -1 Here is the trace file from Azure
`
{
"traceId":"421658ba50fb480786757c8d7c22da48",
"traceEntries":{
"inbound":[
{
"source":"api-inspector",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0002782",
"data":{
"request":{
"method":"GET",
"url":"https://doddapim.azure-api.net/echo/resource?param1=sample",
"headers":[
{
"name":"Ocp-Apim-Subscription-Key",
"value":"e7f21197ef6f4628bdcde8f23394812d"
},
{
"name":"Postman-Token",
"value":"c4f8ef9a-6428-4781-bf4a-e774145c14e9"
},
{
"name":"X-Forwarded-For",
"value":"10.26.60.106"
},
{
"name":"X-BlueCoat-Via",
"value":"ee27777141854371"
},
{
"name":"Cache-Control",
"value":"no-cache"
},
{
"name":"Connection",
"value":"Keep-Alive"
},
{
"name":"Accept",
"value":"*/*"
},
{
"name":"Accept-Encoding",
"value":"gzip,deflate"
},
{
"name":"Host",
"value":"doddapim.azure-api.net"
},
{
"name":"User-Agent",
"value":"PostmanRuntime/7.15.2"
}
]
}
}
},
{
"source":"api-inspector",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0002814",
"data":{
"configuration":{
"api":{
"from":"/echo",
"to":{
"scheme":"http",
"host":"echoapi.cloudapp.net",
"port":80,
"path":"/api",
"queryString":"",
"query":{
},
"isDefaultPort":true
},
"version":null,
"revision":"1"
},
"operation":{
"method":"GET",
"uriTemplate":"/resource"
},
"user":"-",
"product":"-"
}
}
},
{
"source":"cors",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0014853",
"data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
},
{
"source":"cors",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0014872",
"data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
},
{
"source":"client-certificate-handler",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0014961",
"data":"Requesting client certificate because next handler requires access to it."
},
{
"source":"client-certificate-handler",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017793",
"data":"No client certificate received."
},
{
"source":"choose",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017844",
"data":{
"message":"Expression was successfully evaluated.",
"expression":"context.Request.Certificate == null",
"value":true
}
},
{
"source":"set-status",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017909",
"data":{
"message":[
"Response status code was set to 403",
"Response status reason was set to 'Invalid client certificate'"
]
}
},
{
"source":"return-response",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0017946",
"data":{
"message":"Return response was applied",
"response":{
"status":{
"code":"Forbidden",
"reason":"Invalid client certificate"
},
"headers":[
]
}
}
}
],
"outbound":[
{
"source":"transfer-response",
"timestamp":"2019-08-22T16:01:59.6691383Z",
"elapsed":"00:00:00.0018163",
"data":{
"message":"Response headers have been sent to the caller."
}
}
]
}
}
`
回答1:
Finally, I figured it. Proxy is blocking the client from sending the certificate to the server. Nothing wrong with code or configuration.
来源:https://stackoverflow.com/questions/57498215/azure-api-management-secure-api-through-client-certificate