Hi,
I have an APIM instance, which has an App Gateway attached.
I am using an external system to call apis using client certificate flow.
The Certificate is not reaching APIM due to the following snippet from the MS Doc
Certificate validation with context variables
You can also create policy expressions with the context variable to check client certificates. Examples in the following sections show expressions using the context.Request.Certificate property and other context properties.
Note
Mutual certificate authentication might not function correctly when the API Management gateway endpoint is exposed through the Application Gateway. This is because Application Gateway functions as a Layer 7 load balancer, establishing a distinct SSL connection with the backend API Management service. Consequently, the certificate attached by the client in the initial HTTP request will not be forwarded to APIM. However, as a workaround, you can transmit the certificate using the server variables option. For detailed instructions, refer to Mutual Authentication Server Variables.
I have a couple of questions :-
- How to make Azure App GW pass the certificate as such to APIM, so that it could be consumed using either of validate-client-certificate policy or context.Request.Certificate ?
- If the above is not possible, can the certificate be sent in the header ? if yes, how to decode it and validate against the installed certificate on APIM. Please provide examples or code snippets
- Is this mTLS ? How can we achieve mTLS with APIM and App GW ?
Thanks