Hello,
Part of implementing Service-To-Service authentication and authorization effort is to create a client identity for each microservice in our Kubernetes cluster. Authentication would happen not with client secret, but with X.509 client certificates, that are unique per each client identity.
I have successfully tested the authentication with X 509 certificate, but I don’t see any CRL / OCSP feature that would help me invalidate/revoke a client certificate if I ever need this.
What I find peculiar is that this feature, to have CRL / OCSP with X.509 authentication is already implemented and works correctly for user authentication but NOT for client authentication
Do you know if there is a way to implement Certificate Revocation check at Keycloak level for client credentials grant?
If you implement a custom client authenticator, then yes. There’s not default ootb option.
okay, thank you for your response
@thodoroaba - This is something we added to our backlog this week to look at. Did you go ahead with the custom client authenticator to add in these checks ?
No, we added the certificate revocation logic (CRL/OCSP) only at ingress level (nginx), thus doing mTLS authN in both parts: Keycloak service and the regular Web App. However, in my opinion it would make sense for consistency to have it in Keycloak at client level the same way it exists at user level.
I would be interested to follow/test some changes if this becomes an actual effort.
Thanks,
Tiberius
No worries, thanks for the follow up. Il keep you posted on our findings when we get round to it if its of interest still.
Thanks again.