mTLS with OIDC IDP

jmichaux · October 21, 2021, 11:52am

Hi there,

I need to configure an identity provider (OIDC type). The token endpoint need to be called with mTLS.
I have access to two version of keycloak (v9 and v15), both of them are running inside K8s

As of now, I tried many things :

redhat-sso-7-openshift-image/sso74-x509-postgresql-persistent.adoc at sso74-dev · jboss-container-images/redhat-sso-7-openshift-image · GitHub
cacerts extraction from image, add my certificate, rebuild the docker image
GitHub - slaskawi/keycloak-mutual-tls-demo: Mutual TLS for Clients demo
and so on…

Each try do the same : handshake_failure. I received the certificate from the IDP server and keycloak just respond with (ssl:handshake debug) :

Produced client Certificate handshake message (
"Certificates": <empty list>
)

What do I need to configure to make keycloak respond with my client certificate to validate the handshake ?

Thank you all for helping me.

jmichaux · October 25, 2021, 8:32am

In case someone is facing the same issue, here is the solution :

Create a keystore containing the client certificate and the key (protect this keystore with a password) :

openssl pkcs12 -export -in you-cert-fullchain.crt -inkey your-cert.key -out keystore.p12 -name your-cert

Create a secret containing these keystore :

kubectl create secret generic client-certificate --from-file=keystore.p12

Modify your Deployment in order to mount this secret inside your workload.

Edit your standalone config file
In my case, I use specific actions.cli as my image is customized. At build time, a file containing actions is copy inside image. At launch time, these actions are run against the workload.
Here is the actions to add the keystore :

/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore,value=/the/path_to_the/keystore.p12)
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore-password,value="THE_PASSWORD")
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-key-password,value="THE_PASSWORD")

bluefloyd · February 8, 2022, 7:21am

Thanks! This was really useful. After reading this I also found the related official docs: Server Installation and Configuration Guide

Another thing which is very useful to know is that if you use a PKCS12 (.p12 or .pfx) file as keystore, then you need to use the keystore password in both places. A PKCS12 keystore does not have a key password, only a keystore password, and without setting both properties.client-keystore-password and properties.client-key-password to the actual keystore password, you get into strange error messages related to crypto padding.

jmichaux · February 8, 2022, 7:37am

Glad to have been helpful

Topic		Replies	Views
OAuth2 IDP instead of OIDC Configuring the server authentication , identity-brokering , oidc	1	1153	October 3, 2020
Advise: What are key differences to take into consideration when running keycloak locally and on docker? Getting advice authentication , identity-brokering , oidc , saml	3	920	April 9, 2021
Configuring an Identity Provider with Implicit Flow Configuring the server identity-brokering , oidc	12	9820	January 6, 2023
Configure GitHub Enterprise Identity Provider Configuring the server oidc	3	927	August 21, 2021
X509 Client Certificate authentication for OIDC clients	0	659	January 27, 2022

mTLS with OIDC IDP

Related Topics