Hello, I’m having issues making x509 client authentication work with my setup.
- I’m using the keycloak 21.0.2 container (with quarkus) with those env variables
KC_DB: mariadb KC_DB_URL_HOST: mariadbhost KC_DB_USERNAME: username KC_DB_PASSWORD: 'somesecret' KC_DB_SCHEMA: keycloak KC_HOSTNAME_STRICT: false KC_PROXY: edge KC_HOSTNAME: my.hostname.tld KC_HTTP_RELATIVE_PATH: /auth KC_TRANSACTION_XA_ENABLED: false KC_HEALTH_ENABLED: true KC_CACHE: local KEYCLOAK_ADMIN: someadmin KEYCLOAK_ADMIN_PASSWORD: 'someadminpassword' KC_LOG_LEVEL: DEBUG
- I followed the documentation to configure it, made a copy of the default brower flow, added a “X509/Validate Username Form” step set to “required” to it and bound it as browser flow.
- I configured my reverse proxy (nginx) to send the client certificate in the ssl-client-cert header (and verified it was correctly passed with a debug container as backend)
- I configured my docker-compose file to start my container with the command:
Note: I tried with and without the ssl-cert-chain-prefix as per documentation for the nginx provider it should be calculated from the spi truststore (So when I enabled it, I configured my RP to send both CERT_CHAIN_0 and CERT_CHAIN_1 headers)start --https-key-store-file=/etc/x509/https/keystore.ks --https-key-store-password=password --https-trust-store-file=/etc/x509/https/truststore.ks --https-trust-store-password=password --spi-truststore-file-file=/etc/x509/https/truststore.ks --spi-truststore-file-password=password --spi-truststore-file-hostname-verification-policy=ANY --spi-truststore-file-type=jks --spi-x509-cert-lookup-nginx-enabled=true --spi-x509-cert-lookup-nginx-ssl-client-cert=ssl-client-cert --spi-x509-cert-lookup-nginx-trust-proxy-verification=true --spi-x509-cert-lookup-nginx-ssl-cert-chain-prefix=CERT_CHAIN --spi-x509-cert-lookup-nginx-certificate-chain-length=2
- I tried building an image with the --spi-* flags
- I verified I could correctly curl my 8443 port with cert validation OK and my reverse proxy uses this one as its backend
The issue:
I’m correctly prompted for my client cert but it does not seem to be passed down to my keycloak server as I get the message “We are sorry… Invalid username or password.” with this in the debug logs:
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,570 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-11) processFlow: browser-x509
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,570 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-11) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector, null]
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,570 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-11) check execution: 'auth-x509-client-username-form', requirement: 'REQUIRED'
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,571 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-11) authenticator: auth-x509-client-username-form
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,571 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-11) Selections when trying execution 'auth-x509-client-username-form' : [ authSelection - auth-x509-client-username-form]
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,572 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-11) invoke authenticator.authenticate: auth-x509-client-username-form
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,572 DEBUG [org.keycloak.services] (executor-thread-11) [X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.
keycloak-test-keycloak-1 | 2023-04-01 12:16:55,572 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-11) authenticator ATTEMPTED: auth-x509-client-username-form
Can someone help me debug this please?