X.509 Mutual Certificate Authentication
1,131 views
Skip to first unread message
T Levingston
Jul 27, 2022, 4:05:26 PM7/27/22
to Keycloak Dev
HI,
Long time watcher, first time poster...
I am using Version 18.02 on Quarkus. I have followed the documentation I could find on setting up mutual authentication but when the resource application redirects the users browser to the KeyCloak server, the browser reports {"error_description":"X509 client certificate is missing.","error":"invalid_request"}, the same error is posted to the server.log. I have tested and it seems like KeyCloak is not providing a list of CA names to the client.
If I run this command on the keycloak server,
openssl s_client -connect localhost:443 > C:\Users\<myusername>\Documents\sslout.txt
it returns the SSL certificate followed by this,
No client certificate CA names sent.
Running this command on an endpoint that requires client certificates returns a list of acceptable CAs. The resource I am using does not provide that list either.
My question is do I configure the list of acceptable CAs on the resource application or do I do that in the keycloak.conf?
Using Keycloak hosted on Wildfly it was configured in the Standalone.xml, I can't find the switches for Quarkus.
T Levingston
Jul 27, 2022, 4:12:15 PM7/27/22
to Keycloak Dev
Here is my keycloak.conf, it works for google auth MFA and username-password.
# Basic settings for running in production. Change accordingly before deploying the server.
# Database
# The database vendor.
db=mssql
#disable xa if not configured on SQL Server
transaction-xa-enabled=false
# The username of the database user.
db-username=nunya
# The password of the database user.
db-password=SuperHardPassword
# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor. Needs integrated security
db-url=<this part works though I want to add integrated security when I solve this other issue>
# Observability
# If the server should expose healthcheck endpoints.
#health-enabled=true
# If the server should expose metrics endpoints.
#metrics-enabled=true
# HTTP
http-enable=true
http-port=80
https-port=443
ssl-enable=true
redirect-insecure-requests=false
# The file path to a server certificate or certificate chain in PEM format.
https-certificate-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\<mycrtfile>
# The file path to a private key in PEM format.
https-certificate-key-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\<mykeyfile>
#https-key-store-password=
spi-truststore-file-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\truststore.jks
spi-truststore-file-password=<another super hard password>
#Quarkus SSL Settings, sort of trying stuff here
# Database
# The database vendor.
db=mssql
#disable xa if not configured on SQL Server
transaction-xa-enabled=false
# The username of the database user.
db-username=nunya
# The password of the database user.
db-password=SuperHardPassword
# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor. Needs integrated security
db-url=<this part works though I want to add integrated security when I solve this other issue>
# Observability
# If the server should expose healthcheck endpoints.
#health-enabled=true
# If the server should expose metrics endpoints.
#metrics-enabled=true
# HTTP
http-enable=true
http-port=80
https-port=443
ssl-enable=true
redirect-insecure-requests=false
# The file path to a server certificate or certificate chain in PEM format.
https-certificate-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\<mycrtfile>
# The file path to a private key in PEM format.
https-certificate-key-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\<mykeyfile>
#https-key-store-password=
spi-truststore-file-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\truststore.jks
spi-truststore-file-password=<another super hard password>
#Quarkus SSL Settings, sort of trying stuff here
spi-truststore-file-hostname-verification-policy=WILDCARD
spi-ssl-client-auth=request
spi-ssl-certificate-trust-store-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\truststore.jks
spi-ssl-certificate-trust-store-password = <Yet another super hard password>
# The proxy address forwarding mode if the server is behind a reverse proxy.
#proxy=reencrypt
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
#spi-sticky-session-encoder-infinispan-should-attach-route=false
#http-relative-path=/auth/
# Hostname for the Keycloak server.
hostname=mbpskcsvr.mbps.local
log=file
log-file=C:\\ProgramData\\keycloak\\logs\\server.log
log-file-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
#log-level=error
spi-ssl-client-auth=request
spi-ssl-certificate-trust-store-file=C:\\Program Files\\keycloak-18.0.2\\Certs\\truststore.jks
spi-ssl-certificate-trust-store-password = <Yet another super hard password>
# The proxy address forwarding mode if the server is behind a reverse proxy.
#proxy=reencrypt
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
#spi-sticky-session-encoder-infinispan-should-attach-route=false
#http-relative-path=/auth/
# Hostname for the Keycloak server.
hostname=mbpskcsvr.mbps.local
log=file
log-file=C:\\ProgramData\\keycloak\\logs\\server.log
log-file-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
#log-level=error
T Levingston
Jul 29, 2022, 4:33:51 PM7/29/22
to Keycloak Dev
It was probably on me and this could have gone in the user forum but switching between Quarkus and WF has been a little confusing. The correct setting is clearly documented now, it might have been when I read it before and I missed it.
The settings to enable mutual TLS in Quarkus are correct in the Guide.
The settings to enable mutual TLS in Quarkus are correct in the Guide.
Reply all
Reply to author
Forward
0 new messages