How to request access token with X509 certificate authentication and CURL

  • I have a Keycloak instance that is behind an ingress nginx reverse proxy.
  • Users need to authenticate to the reverse proxy with mutual TLS
  • Keycloak is setup to accept the certificate (PROXY: edge, SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT: ssl-client-cert)
  • I also created a direct grant flow that uses the execution “X509/Validate Username” and a confidential openid-connect client that use the direct grant flow mentioned.
  • Users does not have passwords because they are authenticated with mutual TLS (X509 certificate)

:question: How to request an access_token to the openid-connect client with curl and without using username/password ? :question:

curl -XPOST https://ingress-path-to-keycloak/realms/myrealm/protocol/openid-connect/token --cacert \ 
ca.crt --data "grant_type=client_credentials&scope=openid profile&client_id=my-client&client_secret=my-client-secret"  \
 -E user_certificate.crt --key user_private_key.key --header "ssl-client-cert: $(urlencode "$(cat user_certificate.crt)")"  \
--header "ssl-client-issuer-dn: CN=Root CA"  \
--header "ssl-client-subject-dn: emailAddress=user@internal.domain,CN=user,OU=Foo,O=Bar,L=Hello,ST=Test,C=US" \
--header "ssl-client-verify: SUCCESS" -v

Thanks by advance

If you need more details about the configuration, feel free to ask.

[SOLVED ]After investigation, Here is the dummy solution:

curl -XPOST https://ingress-path-to-keycloak/realms/myrealm/protocol/openid-connect/token --cacert \ 
ca.crt --data "grant_type=password&scope=openid profile&client_id=my-client&client_secret=my-client-secret&username=&password="  \
 -E user_certificate.crt --key user_private_key.key --header "ssl-client-cert: $(urlencode "$(cat user_certificate.crt)")"  \
--header "ssl-client-issuer-dn: CN=Root CA"  \
--header "ssl-client-subject-dn: emailAddress=user@internal.domain,CN=user,OU=Foo,O=Bar,L=Hello,ST=Test,C=US" \
--header "ssl-client-verify: SUCCESS" -v

Something that is missed is that I need to leave username and password empty in the request and use grant_type=password

2 Likes