Hi,
I’ve been looking far and wide but to no avail.
We have set up a client that is only used for service accounts, this client is confidential and is configured to authenticate via x509 mTLS.
I’d like to know if there is any way to know the DN of the certificate used to authenticate? Or some guidance perhaps on how to implement this?
I thought there might be a mapper available but it seems not?
Sorry if this is a dumb question 
I don’t believe this is possible out-of-the-box with Keycloak right now (v21).
You could investigate that by checking if after login, the any user attribute appears related to the cert (I don’t believe it’s the case) and if it, you can map this attribute to the token.
Yeah… I looked into the code and I fear your assessment is 100% correct. Thanks for confirming it.
Might be as good of a place as any to start the conversation. I see some ephemeral bits of information, like the ip address on which the client was accessed, being copied to the the token, because it was added via a session note mapper.
Would it not make sense to allow the DN to be mapped to the token as well? I see the client authentication flow at the very least logs the matching certificate, perhaps I can create a PR that adds this as a session note? And thus make it mapable?
I’ll investigate this further after some sleep and a bucket of coffee but interested to learn if that kinda makes sense?