9:50 a.m.
Hi all,
We are using Keycloak as an identity broker with a third party service. We’ve set up the
third party up as an OIDC Identity Provider within Keycloak, but we’ve hit a snag. The
third party that we’re woking with requires that requests to retrieve an access token are
sent with an X.509 certificate. We can’t find a way within Keycloak to set this up and
when we hit the token server URL to exchange the authorization code for a token, we are
getting an error back from the third party - “proper client ssl certificate was not
presented.”
Any ideas on how to support this with Keycloak?
Thanks for any help!!
Jeremy
10:52 a.m.
Hi,
Not hundred per sure, but you may have to edit standalone.xml to update
connectionsHttpClient" SPI provider configuration (unless you have already done so)
by adding a path to the client cert store containing your x509 client certificate, the
client store password and the private key's password (if any).
"client-keystore"
"client-keystore-password"
"client-key-password"
My $0.02
--Peter
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of Jeremy Waterman [jeremy(a)perspectivepartners.com]
Sent: Thursday, May 4, 2017 10:50 AM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Use X.509 certificate when retrieving Access Token from OIDC
Provider?
Hi all,
We are using Keycloak as an identity broker with a third party service. We’ve set up the
third party up as an OIDC Identity Provider within Keycloak, but we’ve hit a snag. The
third party that we’re woking with requires that requests to retrieve an access token are
sent with an X.509 certificate. We can’t find a way within Keycloak to set this up and
when we hit the token server URL to exchange the authorization code for a token, we are
getting an error back from the third party - “proper client ssl certificate was not
presented.”
Any ideas on how to support this with Keycloak?
Thanks for any help!!
Jeremy
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:26 p.m.
Thanks, Peter! I think that did it. We somehow missed that in the documentation
initially.
On May 4, 2017, at 11:52 AM, Nalyvayko, Peter
<pnalyvayko(a)agi.com> wrote:
Hi,
Not hundred per sure, but you may have to edit standalone.xml to update
connectionsHttpClient" SPI provider configuration (unless you have already done so)
by adding a path to the client cert store containing your x509 client certificate, the
client store password and the private key's password (if any).
"client-keystore"
"client-keystore-password"
"client-key-password"
My $0.02
--Peter
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of Jeremy Waterman [jeremy(a)perspectivepartners.com]
Sent: Thursday, May 4, 2017 10:50 AM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Use X.509 certificate when retrieving Access Token from OIDC
Provider?
Hi all,
We are using Keycloak as an identity broker with a third party service. We’ve set up the
third party up as an OIDC Identity Provider within Keycloak, but we’ve hit a snag. The
third party that we’re woking with requires that requests to retrieve an access token are
sent with an X.509 certificate. We can’t find a way within Keycloak to set this up and
when we hit the token server URL to exchange the authorization code for a token, we are
getting an error back from the third party - “proper client ssl certificate was not
presented.”
Any ideas on how to support this with Keycloak?
Thanks for any help!!
Jeremy
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2805
days inactive
2805
days old
2 comments
2 participants
participants (2)
-
Jeremy Waterman -
Nalyvayko, Peter