If you don't have requirements that your certificate authenticator be
proprietary, might I suggest that you open-source it? I think this kind
of authentication may not be an uncommon use case, particularly with the
Internet of Things beginning to take off.
On Thu, Jul 7, 2016, at 10:53 AM, Filipe Lautert wrote:
Hello
short story: is there a way to get the request body sent from the
client inside an Authenticator (my class implements Authenticator ,
unsing method @Override authenticate(context)) ? I'm trying with
context.getHttpRequest().getInputStream() but it is empty.
Full story:
I'm trying to build a Keycloak authenticator that reads a client
certificate and uses it to validate the user, using as a base the
SecretQuestionAuthenticator example . The client certificate is a hard
token that is read by Firefox. To handle the certificate read part I'm
usng Apache mod ssl, with the below relevant configuration:
SSLEngine on
SSLProxyEngine on
<LocationMatch "/auth">
ProxyPass ajp://localhost:8010/auth
ProxyPassReverse ajp://localhost:8010/auth
</LocationMatch>
SSLOptions +StdEnvVars +ExportCertData
... etc
Looking at a tcpdump/wireshark on port 8010, I can see that the client
certificate is sent on the request body to Keycloak.
So far fine, Apache validates the certificate, extracts it and send to
Keycloak. The problem is that I'm unable to read the request body
inside my authenticator class as
context.getHttpRequest().getInputStream() is empty, and as the body is
the raw certificate the method
context.getHttpRequest().getFormParameters() method won't return me
anything.
public class SecretQuestionAuthenticator implements Authenticator {
@Override
public void authenticate(AuthenticationFlowContext context) {
System.out.println(context.getHttpRequest().getInputStream().availabl-
e()); // prints 0 System.out.println(getStringFromInputStream(context-
.getHttpRequest().getInputStream())); //empty :(
Any ideas of how I can get it to work?
Thanks
filipe
--
filipe lautert
_________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Aikeaguinea
aikeaguinea(a)xsmail.com
--
http://www.fastmail.com - Does exactly what it says on the tin