X509ClientCertificateLookup for Envoy X-Forwarded-Client-Cert #22907
ethanchowell
started this conversation in
Ideas
Replies: 1 comment 1 reply
-
Have you tried one of the existing providers and simply configure the correct header name? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
For users that run Keycloak in Kubernetes where ingress traffic is controlled by Istio, PKI auth can be a challenge if your Istio Gateway is configured for mTLS. Take the following Gateway for example
This Gateway tells Istio that requests over HTTPS for any hostname need to be enforced by mTLS with the
cacert
,cert
andkey
(PEM format) in themtls-cert
secret. Envoy proxies (Istio sidecars or gateway controllers) will terminate TLS and forward the request to Keycloak over HTTP. At this point, Keycloak isn't able to fetch the user certificate from the peer connection, so it can't perform X509 authentication. The only way I've found to get around it, is to configure another Gateway and let Keycloak terminate TLS, leaving you with the following configsHowever, Envoy packages up the users certificate into a
X-Forwarded-Client-Cert
header following this specification. Having an officialX509ClientCertificateLookup
provider for parsing user certs from that header would help simplify the networking configs with Istio, making it easier to run Keycloak in that setting.Beta Was this translation helpful? Give feedback.
All reactions