Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mTLS support for keycloak client #1037

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add mTLS support for keycloak client #1037

wants to merge 5 commits into from

Conversation

lucdew
Copy link

@lucdew lucdew commented Dec 21, 2024

Hi,
The keycloak server can be protected with mutual TLS authentication done directly by Keycloak or with the help of a reverse proxy.

The current pull request adds support for mTLS client authentication.

I have added 2 parameters instead of 1 single like some tools do (HAproxy for instance) where the client certificate and private key are provided as a file concatenation of PEM encoded assets. The main reason is that it allows them to be protected differently by the caller, the private key can be passed as a sensitive variable of a terraform module. It avoids parsing a file to extract them.
Also I think it is better to pass strings instead of file paths it gives more flexibility for the caller to store these assets.

But the drawback is that it adds 2 parameters and functions start to have too many parameters. I did not want to refactor that using option callbacks for instance.

No unit tests are provided.

I also go formatted the changed source files.

BR

@thomasdarimont
Copy link
Contributor

thomasdarimont commented Jan 2, 2025
edited
Loading

Hi @lucdew thanks for your PR and happy new your :)

I think the linked Keycloak docs shows how to configure https for Keycloak but not how to enable mTLS. The proper documentation for that is here: https://www.keycloak.org/server/mutual-tls

Do you have an example at hand to test this?

@lucdew
Copy link
Author

lucdew commented Jan 4, 2025

Hi @thomasdarimont and happy new year,

I have added some instructions in the README.md to run the acceptance tests using mTLS.
The docker compose now starts Keycloak on the additional https port 8443. I have added some environment variables to configure the TLS client cert/key and CA cert (to validate the server cert) in the tests.
So it does not test the provider's client TLS properties sadly.

The server and client self-signed certificate and RSA private keys have been generated with OpenSSL.
For the server:

openssl req -x509 -newkey rsa:2048 -keyout provider/misc/tls-server-key.pem -out provider/misc/tls-server-cert.pem -sha256 -days 7300 -nodes -subj "/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost" -addext "subjectAltName = DNS:localhost"

and the client:

openssl req -x509 -newkey rsa:2048 -keyout provider/misc/tls-client-key.pem -out provider/misc/tls-client-cert.pem -sha256 -days 7300 -nodes -subj "/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=client-mtls-2048"

I have added another client key pair to perform a manual negative test, just to make sure if a wrong client key pair is loaded in the provider, the server rejects it because client authentication is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lucdew @thomasdarimont