我正在使用开箱即用的 Echo API Get 请求测试客户端证书功能的身份验证,我添加了一个入站规则来检查请求是否具有证书
I am testing authenticate against Client Certificate functionality with out of the box Echo API Get request, I have added a inbound rule to check the request has certificate
我使用的是自签名证书,我已经在 CA 和客户端证书下更新了它
I am using self signed certificate, I have updated it under CA and client certificates
<inbound> <choose> <when condition="@(context.Request.Certificate == null)"> <return-response> <set-status code="403" reason="Invalid client certificate"/> </return-response> </when> </choose> <base /> </inbound>在我的客户端应用程序中,我使用以下代码拨打电话
In my client Application, I am using below code to make a call
public static void MakeAnAzureApiCall() { var url = @"xxxx.azure-api/echo/resource?param1=sample"; var handler = new WebRequestHandler(); handler.ClientCertificateOptions = ClientCertificateOption.Manual; SecureString sec = new SecureString(); string pwd = "P@ssw0rd"; pwd.ToCharArray().ToList().ForEach(sec.AppendChar); sec.MakeReadOnly(); var cert = new X509Certificate2(@"C:\temp\apim.pfx", sec, X509KeyStorageFlags.MachineKeySet); //X509Certificate2.CreateFromCertFile(@"C:\temp\apim1.cer"); handler.ClientCertificates.Add(cert); var client = new HttpClient(handler); var request = new HttpRequestMessage(HttpMethod.Get, url); request.Headers.TryAddWithoutValidation("Ocp-Apim-Subscription-Key", "xxxxxxxxxxxxxxxxxx"); var response = client.SendAsync(request).Result; string responseString = response.Content.ReadAsStringAsync().Result; }我总是从 API 管理部门收到 403 响应,看起来 APIM 从未收到过证书.有谁知道我在这里做错了什么?
I am always getting 403 response from API management, looks like cert never received to APIM. Could any one know what I am doing wrong here?
EDIT -1 这是来自 Azure 的跟踪文件
EDIT -1 Here is the trace file from Azure
`
{ "traceId":"421658ba50fb480786757c8d7c22da48", "traceEntries":{ "inbound":[ { "source":"api-inspector", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0002782", "data":{ "request":{ "method":"GET", "url":"doddapim.azure-api/echo/resource?param1=sample", "headers":[ { "name":"Ocp-Apim-Subscription-Key", "value":"e7f21197ef6f4628bdcde8f23394812d" }, { "name":"Postman-Token", "value":"c4f8ef9a-6428-4781-bf4a-e774145c14e9" }, { "name":"X-Forwarded-For", "value":"10.26.60.106" }, { "name":"X-BlueCoat-Via", "value":"ee27777141854371" }, { "name":"Cache-Control", "value":"no-cache" }, { "name":"Connection", "value":"Keep-Alive" }, { "name":"Accept", "value":"*/*" }, { "name":"Accept-Encoding", "value":"gzip,deflate" }, { "name":"Host", "value":"doddapim.azure-api" }, { "name":"User-Agent", "value":"PostmanRuntime/7.15.2" } ] } } }, { "source":"api-inspector", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0002814", "data":{ "configuration":{ "api":{ "from":"/echo", "to":{ "scheme":"http", "host":"echoapi.cloudapp", "port":80, "path":"/api", "queryString":"", "query":{ }, "isDefaultPort":true }, "version":null, "revision":"1" }, "operation":{ "method":"GET", "uriTemplate":"/resource" }, "user":"-", "product":"-" } } }, { "source":"cors", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0014853", "data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied." }, { "source":"cors", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0014872", "data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied." }, { "source":"client-certificate-handler", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0014961", "data":"Requesting client certificate because next handler requires access to it." }, { "source":"client-certificate-handler", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017793", "data":"No client certificate received." }, { "source":"choose", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017844", "data":{ "message":"Expression was successfully evaluated.", "expression":"context.Request.Certificate == null", "value":true } }, { "source":"set-status", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017909", "data":{ "message":[ "Response status code was set to 403", "Response status reason was set to 'Invalid client certificate'" ] } }, { "source":"return-response", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017946", "data":{ "message":"Return response was applied", "response":{ "status":{ "code":"Forbidden", "reason":"Invalid client certificate" }, "headers":[ ] } } } ], "outbound":[ { "source":"transfer-response", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0018163", "data":{ "message":"Response headers have been sent to the caller." } } ] } }`
推荐答案最后,我想通了.代理阻止客户端将证书发送到服务器.代码或配置没有任何问题.
Finally, I figured it. Proxy is blocking the client from sending the certificate to the server. Nothing wrong with code or configuration.
更多推荐
Azure API 管理
发布评论