X509 client authentication for a link on Login page

Hi
I need to be able to support x509 authentication for login. When I set up the authentication flow in Keycloak with X509 as an alternative authentication step the user is prompted for a certificate when the login page is called. The browser prompts the user to select a certificate even before they see the login page. Instead, I’d like to prompt the user to send the certificates only when user clicks on a link on the login page. Is this possible with Keycloak to control x509 authentication for a specific URL or does this require adding a reverse proxy to handle mTls and pass on the certificates in headers to Keycloak server. Even if I introduce a reverse proxy like Apache to what URL in keycloak would i map the custom endpoint to?

Thanks

I would say that perhaps using a proxy to handle mTLS and having Keycloak pick up the user certificate from an HTTP header could provide a LITTLE BIT more flexibility.
However, I believe you can manage the user experience by working with different domains, but not for a specific URL, as that’s not how mTLS works.

Thank you for confirming. I came to the same conclusion of using separate domains when trying with nginx and it was not allowing to configure mTls based on location.

Regards