Hi Thomas, X509 user authentication behind reverse proxy is not supported out of the box yet, afaik. There is a fork off of 2.3.0 with necessary changes to enable x509 user auth when running behind haproxy and apache reverse proxies. Basically, a reverse proxy uses custom headers to pass the encoded client certificate and any certificates in the client cert chain to the service behind the proxy, but the x509 authenticator does not know anything about the custom headers and uses the incoming connection to look for the certificate instead. Perhaps wildfly can be taught to somehow use the custom headers to pass the cert to the application without any additional reverse proxy specific code, but my experience with wildfly is limited so if anyone here can suggest a way to achieve that I would be interested as well. --Peter ________________________________________ From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on behalf of FOUTREIN Thomas [Thomas.FOUTREIN(a)imprimerienationale.fr] Sent: Tuesday, September 26, 2017 11:22 AM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy ?Hello, I'm trying to use authentication wiht X509 client certificate with Keycloak. I've put the configuration on a specific realm like explained in the keycloak Documentation (http://www.keycloak.org/docs/3.3/server_admin/topics/authentication/x509....) All is ok on my dev environment without reverse proxy. When i put the same configuration on integration environnement with NGINX reverse proxy, the certificate never reach keycloak ? i've succeded to verifiy the client cert with nginx but keycloak nevere succeed to control the Client CN Could you help me with the configuration of both nginx et wildfly ? here is my Nginx conf try & Standalone.xml keycloak conf in attachement Thank you in advance for the help Regards Thomas Foutrein Imprimerie Nationale