- I have a Keycloak instance that is behind an ingress nginx reverse proxy.
- Users need to authenticate to the reverse proxy with mutual TLS
- Keycloak is setup to accept the certificate (PROXY: edge, SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT: ssl-client-cert)
- I also created a direct grant flow that uses the execution “X509/Validate Username” and a confidential openid-connect client that use the direct grant flow mentioned.
- Users does not have passwords because they are authenticated with mutual TLS (X509 certificate)
How to request an access_token to the openid-connect client with curl and without using username/password ?
curl -XPOST https://ingress-path-to-keycloak/realms/myrealm/protocol/openid-connect/token --cacert \
ca.crt --data "grant_type=client_credentials&scope=openid profile&client_id=my-client&client_secret=my-client-secret" \
-E user_certificate.crt --key user_private_key.key --header "ssl-client-cert: $(urlencode "$(cat user_certificate.crt)")" \
--header "ssl-client-issuer-dn: CN=Root CA" \
--header "ssl-client-subject-dn: emailAddress=user@internal.domain,CN=user,OU=Foo,O=Bar,L=Hello,ST=Test,C=US" \
--header "ssl-client-verify: SUCCESS" -v
Thanks by advance
If you need more details about the configuration, feel free to ask.