Hello,
I have set up keycloak and apache with mod_oidc as client. and I want to set the following use case.
When a user want to have access to let say /something, Keycloak will authenticate the user with username password form, but if he want to go to /something_else, I want to authenticate the user with x.509 certificate.
Is this possible to set up with keycloak and apache mod_auth_openidc without creating two client for each resource ?
There are few possibilities how to achieve this, but none is very
straightforward. We plan to introduce step-up authentication in the near
future (maybe this year, but not 100% sure). That should help with your
use-case.
Until then, the easiest possibility is maybe to create 2 separate
clients and use “Authentication flow overrides” for particular client.
So for client “/something_else”, you may need to create different
authentication flow, which will have X509 certificate as mandatory
authenticator.
Marek