[keycloak-user] Keycloak behind Apache with SSL - read certificate from body

Filipe Lautert filipelautert at gmail.com
Thu Jul 7 10:53:38 EDT 2016 

Hello

short story: is there a way to get the request body sent from the client
inside an Authenticator (my class implements Authenticator , unsing method
@Override authenticate(context)) ? I'm trying with
context.getHttpRequest().getInputStream()
but it is empty.

Full story:
I'm trying to build a Keycloak authenticator that reads a client
certificate and uses it to validate the user, using as a base the
SecretQuestionAuthenticator example . The client certificate is a hard
token that is read by Firefox. To handle the certificate read part I'm usng
Apache mod ssl, with the below relevant configuration:

SSLEngine on

SSLProxyEngine on

                <LocationMatch "/auth">

                        ProxyPass ajp://localhost:8010/auth

                        ProxyPassReverse ajp://localhost:8010/auth

                </LocationMatch>

SSLOptions +StdEnvVars +ExportCertData

... etc


Looking at a tcpdump/wireshark on port 8010, I can see that the client
certificate is sent on the request body to Keycloak.


So far fine, Apache validates the certificate, extracts it and send to
Keycloak. The problem is that I'm unable to read the request body inside my
authenticator class as context.getHttpRequest().getInputStream() is empty,
and as the body is the raw certificate the method
context.getHttpRequest().getFormParameters()
method won't return me anything.


public class SecretQuestionAuthenticator implements Authenticator {

@Override

public void authenticate(AuthenticationFlowContext context) {

System.out.println(context.getHttpRequest().getInputStream().available());
// prints 0 System.out.println(getStringFromInputStream(context.getHttpRequest().getInputStream()));
//empty :(


Any ideas of how I can get it to work?


Thanks


filipe
-- 
filipe lautert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160707/1a61d574/attachment-0001.html

More information about the keycloak-user mailing list