Keycloak realm behding ingress nginx with mTLS(x509)

I’m trying to fix an issue where we need to authenticate to a realm using a CA cert, I have the ingress asking for the cert, however, I’ll get invalid credentials when I hit the page, as if it’s not accepting the cert.

We’re migrating from a nodeport keycloak and reverse proxy to use the ingress nginx reverse proxy.

Here are some relevant logs:
2024-02-06 14:43:33,210 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker] (executor-thread-6) PKCE non-supporting Client

2024-02-06 14:43:33,210 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-6) Could not find any cookies with name {0}, trying {1}

2024-02-06 14:43:33,210 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-6) Not found AUTH_SESSION_ID cookie

2024-02-06 14:43:33,211 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-6) Could not find any cookies with name {0}, trying {1}

2024-02-06 14:43:33,211 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-6) Not found AUTH_SESSION_ID cookie

2024-02-06 14:43:33,211 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-6) Could not find cookie KEYCLOAK_IDENTITY, trying KEYCLOAK_IDENTITY_LEGACY

2024-02-06 14:43:33,211 DEBUG [org.keycloak.services.managers.AuthenticationManager] (executor-thread-6) Could not find cookie: KEYCLOAK_IDENTITY

2024-02-06 14:43:33,211 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-6) Set AUTH_SESSION_ID cookie with value 671da64a-cb45-461d-a584-4102f8f9ac9d.vmoc-keycloak-8459fd6784-p6cwl-61627

2024-02-06 14:43:33,211 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (executor-thread-6) Sent request to authz endpoint. Created new root authentication session with ID ‘671da64a-cb45-461d-a584-4102f8f9ac9d’ . Client: ui-httpd . New authentication session tab ID: SpCTrXxB670

2024-02-06 14:43:33,211 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-6) AUTHENTICATE

2024-02-06 14:43:33,211 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-6) AUTHENTICATE ONLY

2024-02-06 14:43:33,211 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) processFlow: x509 Browser

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) check execution: ‘auth-cookie’, requirement: ‘ALTERNATIVE’

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) authenticator: auth-cookie

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-6) Going through the flow ‘x509 Browser’ for adding executions

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-6) Selections when trying execution ‘auth-cookie’ : [ authSelection - auth-cookie, authSelection - identity-provider-redirector, authSelection - vmoc-auth-x509-client-username-form]

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) invoke authenticator.authenticate: auth-cookie

2024-02-06 14:43:33,212 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-6) Could not find cookie KEYCLOAK_IDENTITY, trying KEYCLOAK_IDENTITY_LEGACY

2024-02-06 14:43:33,212 DEBUG [org.keycloak.services.managers.AuthenticationManager] (executor-thread-6) Could not find cookie: KEYCLOAK_IDENTITY

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) authenticator ATTEMPTED: auth-cookie

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) check execution: ‘identity-provider-redirector’, requirement: ‘ALTERNATIVE’

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) authenticator: identity-provider-redirector

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-6) Going through the flow ‘x509 Browser’ for adding executions

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-6) Selections when trying execution ‘identity-provider-redirector’ : [ authSelection - identity-provider-redirector, authSelection - vmoc-auth-x509-client-username-form]

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) invoke authenticator.authenticate: identity-provider-redirector

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) authenticator ATTEMPTED: identity-provider-redirector

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) check execution: ‘vmoc-auth-x509-client-username-form’, requirement: ‘ALTERNATIVE’

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) authenticator: vmoc-auth-x509-client-username-form

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-6) Going through the flow ‘x509 Browser’ for adding executions

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-6) Selections when trying execution ‘vmoc-auth-x509-client-username-form’ : [ authSelection - vmoc-auth-x509-client-username-form]

2024-02-06 14:43:33,212 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) invoke authenticator.authenticate: vmoc-auth-x509-client-username-form

2024-02-06 14:43:33,212 DEBUG [org.keycloak.services] (executor-thread-6) [AutoRegisterX509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.