[keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy
Nalyvayko, Peter
pnalyvayko at agi.com
Tue Sep 26 23:48:44 EDT 2017
Hi Thomas,
X509 user authentication behind reverse proxy is not supported out of the box yet, afaik. There is a fork off of 2.3.0 with necessary changes to enable x509 user auth when running behind haproxy and apache reverse proxies. Basically, a reverse proxy uses custom headers to pass the encoded client certificate and any certificates in the client cert chain to the service behind the proxy, but the x509 authenticator does not know anything about the custom headers and uses the incoming connection to look for the certificate instead. Perhaps wildfly can be taught to somehow use the custom headers to pass the cert to the application without any additional reverse proxy specific code, but my experience with wildfly is limited so if anyone here can suggest a way to achieve that I would be interested as well.
--Peter
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of FOUTREIN Thomas [Thomas.FOUTREIN at imprimerienationale.fr]
Sent: Tuesday, September 26, 2017 11:22 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy
?Hello,
I'm trying to use authentication wiht X509 client certificate with Keycloak.
I've put the configuration on a specific realm like explained in the keycloak Documentation (http://www.keycloak.org/docs/3.3/server_admin/topics/authentication/x509.html)
All is ok on my dev environment without reverse proxy. When i put the same configuration on integration environnement with NGINX reverse proxy, the certificate never reach keycloak ?
i've succeded to verifiy the client cert with nginx but keycloak nevere succeed to control the Client CN
Could you help me with the configuration of both nginx et wildfly ?
here is my Nginx conf try & Standalone.xml keycloak conf in attachement
Thank you in advance for the help
Regards
Thomas Foutrein
Imprimerie Nationale
More information about the keycloak-user
mailing list