org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

org.keycloak.services.x509.NginxProxyTrustedClientCertificateLookup

All Implemented Interfaces:: Provider, X509ClientCertificateLookup

public class NginxProxyTrustedClientCertificateLookup extends AbstractClientCertificateFromHttpHeadersLookup

The NGINX Trusted Provider verify extract end user X.509 certificate sent during TLS mutual authentication, verifies it against provided CA the and forwarded in an HTTP header along with a new header ssl-client-verify: SUCCESS. NGINX configuration must have :


 server {
    ...
    ssl_client_certificate                  path-to-trusted-ca.crt;
    ssl_verify_client                       on|optional;
    ssl_verify_depth                        2;
    ...
    location / {
    ...
      proxy_set_header ssl-client-cert        $ssl_client_escaped_cert;
    ...
  }

Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation

Since:: 01/09/2022
Version:: $Revision: 1 $
Author:: Youssef El Houti

Field Summary

Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader
Constructor Summary

Constructors

Constructor

Description

NginxProxyTrustedClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength)
Method Summary

Modifier and Type

Method

Description

protected X509Certificate

decodeCertificateFromPem(String pem)

protected X509Certificate

getCertificateFromHttpHeader(HttpRequest request, String httpHeader)

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
close, getCertificateChain

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- NginxProxyTrustedClientCertificateLookup
  
  public NginxProxyTrustedClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength)
Method Details
- getCertificateFromHttpHeader
  
  protected X509Certificate getCertificateFromHttpHeader(HttpRequest request, String httpHeader) throws GeneralSecurityException
  
  Overrides:
  
  getCertificateFromHttpHeader in class AbstractClientCertificateFromHttpHeadersLookup
  
  Throws:
  
  GeneralSecurityException
- decodeCertificateFromPem
  
  protected X509Certificate decodeCertificateFromPem(String pem) throws PemException
  
  Specified by:
  
  decodeCertificateFromPem in class AbstractClientCertificateFromHttpHeadersLookup
  
  Throws:
  
  PemException

Class NginxProxyTrustedClientCertificateLookup

Field Summary

Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

Constructor Summary

Method Summary

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

Methods inherited from class java.lang.Object

Constructor Details

NginxProxyTrustedClientCertificateLookup

Method Details

getCertificateFromHttpHeader

decodeCertificateFromPem