Hi WEI LI, Is this what you are looking for? https://github.com/keycloak/keycloak/pull/4546 ________________________________________ From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on behalf of Wei Li [weil(a)redhat.com] Sent: Wednesday, November 22, 2017 10:37 AM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] client certificate authentication using HAProxy and Keycloak Hi, We are using HAProxy as the reverse proxy for the Keycloak server, and we are terminating the SSL connection at HAProxy. Now we want to enable client certificate authentication. Because the SSL is terminated at HAProxy, we can't use the existing CCA feature provided by Keycloak. But we can get the client cert info in HAProxy and pass them onto Keycloak in headers. So is there a way to allow Keycloak to get the user info from the headers and perform authentication? Thanks for your help in advance! -- WEI LI SENIOR SOFTWARE ENGINEER Red Hat Mobile <https://www.redhat.com/> weil(a)redhat.com M: +353862393272 <https://red.ht/sig> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi WEI LI, I cannot tell you when the PR will be merged, but I've been meaning to test the migration steps and follow up with Marek before the end of the month --Peter ________________________________________ From: Wei Li [weil(a)redhat.com] Sent: Wednesday, November 22, 2017 11:30 AM To: Nalyvayko, Peter Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] client certificate authentication using HAProxy and Keycloak Hi Peter, Yes, that is exactly what I am looking for. Thank you very much. Do you have any idea when that PR can be merged? Thanks. On Wed, Nov 22, 2017 at 4:25 PM, Nalyvayko, Peter <pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>> wrote: Hi WEI LI, Is this what you are looking for? https://github.com/keycloak/keycloak/pull/4546 ________________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> [keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>] on behalf of Wei Li [weil@redhat.com<mailto:weil@redhat.com>] Sent: Wednesday, November 22, 2017 10:37 AM To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: [keycloak-user] client certificate authentication using HAProxy and Keycloak Hi, We are using HAProxy as the reverse proxy for the Keycloak server, and we are terminating the SSL connection at HAProxy. Now we want to enable client certificate authentication. Because the SSL is terminated at HAProxy, we can't use the existing CCA feature provided by Keycloak. But we can get the client cert info in HAProxy and pass them onto Keycloak in headers. So is there a way to allow Keycloak to get the user info from the headers and perform authentication? Thanks for your help in advance! -- WEI LI SENIOR SOFTWARE ENGINEER Red Hat Mobile <https://www.redhat.com/> weil@redhat.com<mailto:weil@redhat.com> M: +353862393272<tel:%2B353862393272> <https://red.ht/sig> _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user -- WEI LI SENIOR SOFTWARE ENGINEER Red Hat Mobile<https://www.redhat.com/> weil@redhat.com<mailto:weil@redhat.com> M: +353862393272<tel:+353862393272> [https://www.redhat.com/files/brand/email/sig-redhat.png]<https://red.h...