Initiate X509 Certificate Authentication Flow from a button

Hi,

I am trying to authenticate users by using mTLS x509 Authentication. The end goal is to go to my UI which then redirects to the Keycloak login screen (with they keycloak-js adapter). On the login screen, I want to present two options: 1) login with username/password or 2) login via cert.

Right now it is set up to work with username/password fine, the part that has been difficult is setting up x509 Authentication. The main issue is that as soon as I redirect to the Keycloak login page, it automatically looks for the certificate whereas I only want it to search for the cert if the ā€˜login via certā€™ button is pressed. Is there a way to do this?

A little about my system. I am using Traefik as a reverse proxy, so Keycloak is sitting behind Traefik (which I think makes things a little more difficult). All of my services are deployed in a Kubernetes cluster. The UI is built with React and itā€™s using the Keycloak-js adapter to integrate with Keycloak.

I am not very familiar with certification/networking so I apologize if the vocabulary isnā€™t quite right.

1 Like

Hi @cmich,

Iā€™m also facing a similar situation, where I want to offer both choices to my end user before any mTLS x509 request by Nginx (probably doing the same thing as Traefik).

Do you find any solution for your request ? If so, can you share it with us ?

Thanks !

In this case, this is how mTLS works, period. The proxy triggers the user certificate selection, and then Keycloak picks it up from an HTTP header (with an SPI) during the authentication flow.

If you want to change the experience, you might need to use different domains as a workaround, but you will end up dealing with other ā€œchallengesā€ as well.