Hi all,
My setup is configured with keycloak behind an AWS ALB reverse proxy. I’ve enabled the mTLS passthrough option so I can authentication users using the x509 username/password form in my browser authentication flow.
The issue is that I need to programmatically allow users to login with their client certificate based on a “login with certificate button”. For example, keycloak is configured with TLS and AWS ALB listeners are limited to mTLS on/off at the listener level (ie; listener is defined at protocol/port level like HTTPS/443). I do not want all users accessing my primary domain to be prompted for their client certificate.
My idea was to redirect the user from auth.mycompany.com to id.mycompany.com or primary_domain:8443 which is a separate AWS ALB with mTLS turned on so the browser prompts them for a client certificate and then send the traffic to keycloak.
Oversight on my end was that using a different domain or the same domain with a different port violates the browser’s SOP and hence breaks SSO by not being able to access the KEYCLOAK_SESSION cookie, leading to a redirect loop where the OIDC client in my browser thinks the user is not authenticated.
Few ideas I’ve thought of trying were to explore a different load balancer option with path based mTLS support or a check_session_iframe in my oidc client. Wanted to see if anyone in the community has solved a similar issue and has suggestion