Support forwarding HTTPS client certificates

[jaliyaudagedara]

I was trying to debug a Certificate Authentication issue using Tunneling.

Basically I have an Azure APIM, where I am doing a [send-request] (https://learn.microsoft.com/en-us/azure/api-management/send-request-policy) with authentication-certificate The request URL is my tunneled ASP.NET Core Web API running locally.

It looks like the certificate is not getting forwarded in: No client certificate found.

[21:42:59 INF] Request starting HTTP/2 GET https://localhost:7097/api/v1/Tenants/GetTenantByClientId?clientId=69fffd25-cd92-4db6-9a72-852e9cfbb7a0 - -
[21:42:59 DBG] No Content-Type header for request body.
[21:42:59 INF] Request:
Protocol: HTTP/2
Method: GET
Scheme: https
PathBase:
Path: /api/v1/Tenants/GetTenantByClientId
Host: localhost:7097
traceparent: [Redacted]
x-request-id: [Redacted]
x-real-ip: [Redacted]
x-forwarded-host: [Redacted]
x-forwarded-port: [Redacted]
x-forwarded-scheme: [Redacted]
x-original-uri: [Redacted]
x-scheme: [Redacted]
x-original-proto: [Redacted]
X-Original-For: [Redacted]
[21:42:59 DBG] 2 candidate(s) found for the request path '/api/v1/Tenants/GetTenantByClientId'
[21:42:59 DBG] Endpoint '[Redacted]TenantsController.GetTenantByClientId ([Redacted])' with route pattern 'api/v{version:apiVersion}/Tenants/GetTenantByClientId' is valid for the request path '/api/v1/Tenants/GetTenantByClientId'
[21:42:59 DBG] Endpoint '[Redacted]TenantsController.GetTenantByTenantCode ([Redacted])' with route pattern 'api/v{version:apiVersion}/Tenants/{tenantCode}' is valid for the request path '/api/v1/Tenants/GetTenantByClientId'
[21:42:59 DBG] Request matched endpoint '[Redacted]TenantsController.GetTenantByClientId ([Redacted])'
[21:42:59 DBG] Static files was skipped as the request already matched an endpoint.
[21:42:59 DBG] No client certificate found.
[21:42:59 DBG] AuthenticationScheme: Certificate was not authenticated.
[21:43:00 DBG] AuthenticationScheme: Certificate was not authenticated.
[21:43:00 INF] Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
[21:43:00 INF] AuthenticationScheme: Bearer was challenged.
[21:43:00 INF] AuthenticationScheme: Certificate was challenged.
[21:43:00 INF] Response:
StatusCode: 403
WWW-Authenticate: [Redacted]
[21:43:00 INF] Request finished HTTP/2 GET https://localhost:7097/api/v1/Tenants/GetTenantByClientId?clientId=69fffd25-cd92-4db6-9a72-852e9cfbb7a0 - - - 403 0 - 1363.3172ms

And when the code is deployed to Azure, it's working fine: #51819

[setaskin]

Hi @jaliyaudagedara , we don't support forwarding https client certificates. Thanks for reaching out. We will keep the issue open as a feature request.

[jaliyaudagedara]

Thanks for the confirmation @setaskin.

Yes please, thank you very much!

[derekbekoe]

Unfortunately, we don't have plans to support this at this time. Given this, I'll be closing this issue but thanks for the feature suggestion. If we're able to reconsider this in the future, we'll re-open this.