public class NginxProxySslClientCertificateLookup extends AbstractClientCertificateFromHttpHeadersLookup
server {
...
ssl_client_certificate path-to-my-trustyed-cas-for-client-auth.pem;
ssl_verify_client on|optional_no_ca;
ssl_verify_depth 2;
...
location / {
...
proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
...
}
Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementationcertificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader
Constructor and Description |
---|
NginxProxySslClientCertificateLookup(String sslCientCertHttpHeader,
String sslCertChainHttpHeaderPrefix,
int certificateChainLength,
KeycloakSession kcsession) |
Modifier and Type | Method and Description |
---|---|
X509Certificate[] |
buildChain(X509Certificate end_user_auth_cert)
As NGINX cannot actually send the CA Chain in http header(s),
we are rebuilding here the end user certificate chain with Keycloak truststore.
|
X509Certificate[] |
convertCertPathtoX509CertArray(CertPath certPath) |
protected X509Certificate |
decodeCertificateFromPem(String pem)
Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.
|
X509Certificate[] |
getCertificateChain(org.jboss.resteasy.spi.HttpRequest httpRequest)
Returns a client certificate, and optionally any certificates
in the certificate chain.
|
boolean |
loadKeycloakTrustStore(KeycloakSession kcsession)
Loading truststore @ first login
|
close, getCertificateFromHttpHeader
public NginxProxySslClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, KeycloakSession kcsession)
protected X509Certificate decodeCertificateFromPem(String pem) throws PemException
decodeCertificateFromPem
in class AbstractClientCertificateFromHttpHeadersLookup
PemException
public X509Certificate[] getCertificateChain(org.jboss.resteasy.spi.HttpRequest httpRequest) throws GeneralSecurityException
X509ClientCertificateLookup
getCertificateChain
in interface X509ClientCertificateLookup
getCertificateChain
in class AbstractClientCertificateFromHttpHeadersLookup
GeneralSecurityException
public X509Certificate[] buildChain(X509Certificate end_user_auth_cert)
end_user_auth_cert
- public X509Certificate[] convertCertPathtoX509CertArray(CertPath certPath)
public boolean loadKeycloakTrustStore(KeycloakSession kcsession)
kcsession
- Copyright © 2021 JBoss by Red Hat. All rights reserved.