Keycloak x509 authentication behind ALB AWS

Hello,

I have a keycloak deployed in a eks. I have one client configured in a realm that I would like to authenticate with x509 authentication flow.

Right now if I expose the server behind a NLB the mTLS is closed against the keycloak server and the flow works perfect. However I would like to add a layer of security and work with an ALB instead (so i can configure a waf for example)

The mTLS in AWL ALB is quite recent, and I tried to configure the keycloak server to work behind an nginx proxy and read the certificate form the header AWS documentation specified. However the encoding of this header is not the same when it is coming from ALB than when it is coming from a nginx proxy (it includes 3 safe characters):

“This header contains the URL-encoded PEM format of the entire client certificate chain presented in the connection, with +=/ as safe characters.” (AWS documentation)

So keycloak is showing this error:
“ERROR [org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup] (executor-thread-2) org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory$ExCertificateException: parsing issue: corrupted stream - out of bounds length found: 1909 >= 1902: org.keycloak.common.util.PemException: org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory$ExCertificateException: parsing issue: corrupted stream - out of bounds length found: 1909 >= 1902”

So i wonder if anyone has an approach to solve this problem. Either creating a new spi for the x509 lookup matching the ALB conditions or working with the existing spi (haproxy, nginx, apache) but with an intermediate step such as using a lambda or sthm similar?

Thank you!

Hi every one, short update, I was able to solve the issue with an nginx between the AWS ALB and the keycloak. Using LUA i was able to adapt the header so keycloak would recieve it as if it came from a nginx.

Anyway recently I discover that some was working on an optimal solution:

So I hope the merge request it get approved earlier than later.

Regards!

1 Like