8:39 a.m.
I configured mutual-ssl authentication on Keycloak. That means that user
coming to Keycloak does SSL handshake allowing Keycloak to extract data from
client certificate and map that data to an existing user at Keycloak, and
based on that authenticate the user.
Now, I need to configure reverse proxy in front of Keycloak. I'm using
Apache's httpd.
The problem is that user's browser now does SSL handshake with the reverse
proxy server instead of Keycloak and sends plain http request, disabling
Keycloak to map and authenticate the user.
Is there a proposed method to achieve this?
Can I configure some reverse proxy (maybe not httpd) to proxy requests on
the transport layer? For example, I've seen there is a way to do client
authentication on httpd and then send client certificate details to the
Wildfly thorugh AJP protocol, but how to map this data to the user then?
Or should I somehow configure Keycloak for this?
Maybe configure the proxy to be KC's client and do the authentication
somehow?
Many thanks,
Nikola
10:56 p.m.
Hello Nikola,
You need to configure a x509cert-lookup SPI in your Keycloak config file. Check this out,
there are examples for haproxy and Apache:
https://www.keycloak.org/docs/latest/server_admin/#client-certificate-lookup
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-12-17 at 15:39 +0100, Nikola Malenic wrote:
I configured mutual-ssl authentication on Keycloak. That means that
user
coming to Keycloak does SSL handshake allowing Keycloak to extract data from
client certificate and map that data to an existing user at Keycloak, and
based on that authenticate the user.
Now, I need to configure reverse proxy in front of Keycloak. I'm using
Apache's httpd.
The problem is that user's browser now does SSL handshake with the reverse
proxy server instead of Keycloak and sends plain http request, disabling
Keycloak to map and authenticate the user.
Is there a proposed method to achieve this?
Can I configure some reverse proxy (maybe not httpd) to proxy requests on
the transport layer? For example, I've seen there is a way to do client
authentication on httpd and then send client certificate details to the
Wildfly thorugh AJP protocol, but how to map this data to the user then?
Or should I somehow configure Keycloak for this?
Maybe configure the proxy to be KC's client and do the authentication
somehow?
Many thanks,
Nikola
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:38 a.m.
Thank you very much.
I already found this lookup provider in documentation and configured as proposed.
Thank you again,
Nikola
-----Original Message-----
From: Dmitry Telegin [mailto:dt@acutus.pro]
Sent: Tuesday, December 18, 2018 5:56 AM
To: Nikola Malenic <nikola.malenic(a)netsetglobal.rs>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak behind reverse proxy
Hello Nikola,
You need to configure a x509cert-lookup SPI in your Keycloak config file. Check this out,
there are examples for haproxy and Apache:
https://www.keycloak.org/docs/latest/server_admin/#client-certificate-lookup
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-12-17 at 15:39 +0100, Nikola Malenic wrote:
I configured mutual-ssl authentication on Keycloak. That means that
user coming to Keycloak does SSL handshake allowing Keycloak to
extract data from client certificate and map that data to an existing
user at Keycloak, and based on that authenticate the user.
Now, I need to configure reverse proxy in front of Keycloak. I'm using
Apache's httpd.
The problem is that user's browser now does SSL handshake with the
reverse proxy server instead of Keycloak and sends plain http request,
disabling Keycloak to map and authenticate the user.
Is there a proposed method to achieve this?
Can I configure some reverse proxy (maybe not httpd) to proxy requests
on the transport layer? For example, I've seen there is a way to do
client authentication on httpd and then send client certificate
details to the Wildfly thorugh AJP protocol, but how to map this data to the user then?
Or should I somehow configure Keycloak for this?
Maybe configure the proxy to be KC's client and do the authentication
somehow?
Many thanks,
Nikola
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2204
days inactive
2205
days old
2 comments
2 participants
participants (2)
-
Dmitry Telegin -
Nikola Malenic