Is the client certificate chain forwarded by Envoy (either via XFCC or some other header)?

[Sean Fitts]

We use Keycloak to perform authentication and currently terminate SSL connections via HAProxy.  We're evaluating a possible switch to Envoy and I have a question about the information available when forwarding client certificate data from mTLS.

Specifically, in order for Keycloak to work it needs access both the client certificate and its entire certificate chain (see https://www.keycloak.org/docs/latest/server_admin/index.html#client-certificate-lookup).  HAProxy makes both of these available via forwarded HTTP headers.  I can see that Envoy forwards the client cert in the XFCC header, but it is unclear as to whether this includes the entire certificate chain (either in the cert or as another key in that header).  I've poked about a bunch in docs/code/blogs/etc... and can't seem to find anything definitive about this.

Thanks in advance for any info,

Sean

[Matt Klein]

+Piotr Sikora IIRC this is not available currently. I would open a tracking issue.

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To post to this group, send email to envoy...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/59737985-473f-4ab9-8026-5930d82b16a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sean Fitts]

Thanks, logged https://github.com/envoyproxy/envoy/issues/6135