I've created a HTTPTriggered azure function and I've setup the API management to call the function. Certificate validation policy is set in APIM and when APIM will forward the call to azure function the API-key of the function will be passed.
is this possible to put a client certificate validation also from APIM to function-App instead of the just API-key?
You need to add a property to the function app resource definition as described here for client certificate authentication to be enabled. You'll then need to do your own cert validation in the function code.
{
"properties": {
"clientCertEnabled": true
}
}
Inspect this header for the base64 encoded client cert:
X-ARR-ClientCert
One caveat here, it may not work with Consumption plans, i didn't get around to test it, please leave a comment if it does work.
Alternatively, you could grab a Bearer token from Azure AD with client credentials flow (client_id and client_secret) and call the function that way (enable EasyAuth for that to work). The bigger caveat here is also a question, can APIM do that flow for you? I have no clue.
Found something here, looks like it's doable with an outbound policy and makes a raw POST request into Azure AD, which is fine, since that's what that flow is really about.
