APIM - Validating a thumbprint against certificates uploaded to API Management
I currently have the below policy which validates the certificate thumbprint against "any" certificate uploaded to API Management:
<choose>
<when condition="@(context.Request.Certificate == null || !context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))">
<return-response>
<set-status code="403" reason="Invalid client certificate"/>
</return-response>
</when>
</choose>
But I want to validate a thumbprint against a "specific" certificate uploaded to API Management, not "any".
I have tried the below policy:
<choose>
<when condition="@(context.Request.Certificate == null || context.Deployment.Certificates["MyCert"].Thumbprint == context.Request.Certificate.Thumbprint)">
<return-response>
<set-status code="403" reason="Invalid client certificate"/>
</return-response>
</when>
</choose>
"MyCert" is the "Id" of the "Client Certificate" in API which refers to the certificate uploaded in Key Vault.
But when I call the API, it throws this error: Expression evaluation failed. The given key 'MyCert' was not present in the dictionary. at System.Collections.Immutable.ImmutableDictionary`2.get_Item(TKey key)
Can someone please help me with this issue?
context.Deployment.Certificates.Values doesn't contain Certificate Id parameter to filter. You can validate it by using <set-variable name="Values" value="@((string)string.Join(", ", context.Deployment.Certificates.Values))" /> expression.
You can use the below given policy to pass the Thumbprint of a specific certificate uploaded in APIM to verify against the incoming certificate.
<policies>
<inbound>
<base />
<choose>
<when condition="@(context.Request.Certificate != null || (string)context.Deployment.Certificates.Values.FirstOrDefault(cert => cert.Thumbprint == "<APIMCertThumbprint>")?.Thumbprint == context.Request.Certificate.Thumbprint)">
<return-response>
<set-status code="200" reason="OK" />
<set-body>Valid certificate</set-body>
</return-response>
</when>
<otherwise>
<return-response>
<set-status code="403" reason="Invalid client certificate" />
<set-body>Invalid or missing client certificate</set-body>
</return-response>
</otherwise>
</choose>
</inbound>
</policies>
Due to some limitations I can't pass the certificate information in request body, so I am testing by storing the value of thumbprint in set-variable against the uploaded certificate in APIM.
- After importing an Azure Function app into API Management service, how do I view/edit the policy adding the generated host key authorizing calls?
- Invoking API fails from web page, though succeeds in Test pages
- Azure api management service fails to authorize call to web app API
- Why doesn't the azure-openai-emit-token-metric policy capture token usage for GPT4o stream responses?
- Applying outbound policies to a mocked operation in Azure API Management
- How to integrate Azure function in apim policy
- APIM - Validating a thumbprint against certificates uploaded to API Management
- Api Management Test Console Fails, Am I Doing something wrong with Inbound Policies?
- Azure API Management access from Microsoft Fabric - handling IP restrictions
- APIM Combine throttling policy approach
- Azure Api Management restrict users from operational level
- Publish apim policy with bicep set-body and set-backend-service at same time
- Terrform Module for Azure APIM Definitions
- Securing an azure API with oauth: Able to retrieve a token but token is invalid
- APIM Policy - Fetch value from incoming SOAP requset and set variable
- How to add users to Administrators group in new Azure API Management Developer Portal when only using Azure AD Identity?
- how to integrate graph api in apim service
- API Management service - 2 APIs for same service
- How to log Azure APIM user in Application Insights
- Azure API Management service - getting the subscription key into Application Insights
- Bing Search API: Getting 401 Acces Denied error while using the right suscription key
- Azure Api Management append api to existing api with arm
- Configuration issue in azure api management service
- In a hybrid scenario, should APIM used for system to system Azure cloud to on-premises invocations?
- Why does the subscription key have product=<name> when I select a Product?
- How to using the generated token to authenticate the ADF REST API
- Validated Open API spec fails to upload on Azure API Management
- How to temporary stop Azure API Management Service
- How to specify rewrite url for query string parameters in Azure API Management
- Enabling minimum apiVersion to 2021-08-01 in Azure API Management causing saving issues or deployment errors for existing logic apps