mTLS with OIDC IDP

Hi there,

I need to configure an identity provider (OIDC type). The token endpoint need to be called with mTLS.
I have access to two version of keycloak (v9 and v15), both of them are running inside K8s

As of now, I tried many things :

• redhat-sso-7-openshift-image/sso74-x509-postgresql-persistent.adoc at sso74-dev · jboss-container-images/redhat-sso-7-openshift-image · GitHub
• cacerts extraction from image, add my certificate, rebuild the docker image
• GitHub - slaskawi/keycloak-mutual-tls-demo: Mutual TLS for Clients demo
• and so on…

Each try do the same : handshake_failure. I received the certificate from the IDP server and keycloak just respond with (ssl:handshake debug) :

Produced client Certificate handshake message (
"Certificates": <empty list>
)

What do I need to configure to make keycloak respond with my client certificate to validate the handshake ?

Thank you all for helping me.

In case someone is facing the same issue, here is the solution :

1. Create a keystore containing the client certificate and the key (protect this keystore with a password) :

openssl pkcs12 -export -in you-cert-fullchain.crt -inkey your-cert.key -out keystore.p12 -name your-cert

2. Create a secret containing these keystore :

kubectl create secret generic client-certificate --from-file=keystore.p12

Modify your Deployment in order to mount this secret inside your workload.

3. Edit your standalone config file
   In my case, I use specific actions.cli as my image is customized. At build time, a file containing actions is copy inside image. At launch time, these actions are run against the workload.
   Here is the actions to add the keystore :

/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore,value=/the/path_to_the/keystore.p12)
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore-password,value="THE_PASSWORD")
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-key-password,value="THE_PASSWORD")

Thanks! This was really useful. After reading this I also found the related official docs: Server Installation and Configuration Guide

Another thing which is very useful to know is that if you use a PKCS12 (.p12 or .pfx) file as keystore, then you need to use the keystore password in both places. A PKCS12 keystore does not have a key password, only a keystore password, and without setting both properties.client-keystore-password and properties.client-key-password to the actual keystore password, you get into strange error messages related to crypto padding.

Glad to have been helpful

Hey Guys @jmichaux , @bluefloyd

I have a requirement to check the feasibility of supporting mTLS (Keycloak to OIDC IDP Identity Broker) in a multitenant setup using custom code implementation. After conducting some research, I concluded that we should create a custom SPI for DefaultHttpClientFactory. The existing code will remain the same, except I would replace the values of clientKeystorePath, clientKeystorePassword, and clientPrivateKeyPassword with respective values. These values would be dynamic based on the realm (creating realm-specific keystores first and then using them here) same as edit standalone config file. Could you suggest if this approach will work or not? I am new to Keycloak and would appreciate any suggestions.