Sounds like a good way to do it to me.
Had a quick search for two-way SSL, and IBM Identity Manager Express does both:
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 27 January, 2014 4:53:59 PM
Subject: [keycloak-dev] authenticating applications
If SSL is a realm requirement, can't you use two-way SSL using between
Keycloak and the application's server using the certificates of each of
those servers? There would be no need to set up client certs. For
self-signed certs you could even do what the browser does and have the
admin console ask to trust the cert from the host of the application's
server (vice versa too!).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev