I am facing an issue where I am not able to see the client certificate being passed to the backend when using client certificate authentication using Azure API Management Service.
I have created a https backend where I validate the certificate and put logging to see the headers and the values that come through.
In my API management gateway, I have following policies applied in the "All Operations" of my api
<policies>
<inbound>
<base/>
<authentication-certificate thumbprint="AB4495609DEEE612E9DF25CBC9EB4D7064D6EA97"/>
</inbound>
<backend>
<forward-request/>
</backend>
<outbound>
<base/>
</outbound>
<on-error>
<base/>
</on-error>
</policies>In the API call I have the following policy definition
<policies>
<inbound>
<base/>
</inbound>
<backend>
<base/>
</backend>
<outbound>
<base/>
</outbound>
Now when I make a call to the API, I can see from my backend that I get the following message
8/12/2017 6:24:57 AMOcp-Apim-Subscription-Key:dbxxxx991a3b4b8aa19a4fxxxxxxx 8/12/2017 6:24:57 AMX-ARR-ClientCert header is missing
If I add that header as a policy in the API gateway and set the base 64 encoded value of the cert, it works fine. I would want to use the certificate configured rather than setting the cert in the header if I can avoid it.
I have tried setting backend to http as well as https. Both seem to give the same results.
Just some extra information, my backend is an aspnet core web api project running in a docker container (hosted in an azure ubuntu machine). I have tried hitting the URL directly without the API management gateway by passing in the client certificate in the header and that also works without any issues.
