mTLS with OIDC IDP

Hi there,

I need to configure an identity provider (OIDC type). The token endpoint need to be called with mTLS.
I have access to two version of keycloak (v9 and v15), both of them are running inside K8s

As of now, I tried many things :

Each try do the same : handshake_failure. I received the certificate from the IDP server and keycloak just respond with (ssl:handshake debug) :

Produced client Certificate handshake message (
"Certificates": <empty list>
)

What do I need to configure to make keycloak respond with my client certificate to validate the handshake ?

Thank you all for helping me.

In case someone is facing the same issue, here is the solution :

  1. Create a keystore containing the client certificate and the key (protect this keystore with a password) :
openssl pkcs12 -export -in you-cert-fullchain.crt -inkey your-cert.key -out keystore.p12 -name your-cert
  1. Create a secret containing these keystore :
kubectl create secret generic client-certificate --from-file=keystore.p12

Modify your Deployment in order to mount this secret inside your workload.

  1. Edit your standalone config file
    In my case, I use specific actions.cli as my image is customized. At build time, a file containing actions is copy inside image. At launch time, these actions are run against the workload.
    Here is the actions to add the keystore :
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore,value=/the/path_to_the/keystore.p12)
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore-password,value="THE_PASSWORD")
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-key-password,value="THE_PASSWORD")