NginxProxySslClientCertificateLookup (Keycloak Docs Distribution 14.0.0 API)

java.lang.Object
- org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
- - org.keycloak.services.x509.NginxProxySslClientCertificateLookup

All Implemented Interfaces:

Provider, X509ClientCertificateLookup
```
public class NginxProxySslClientCertificateLookup
extends AbstractClientCertificateFromHttpHeadersLookup
```
The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication, and forwarded in an http header. NGINX configuration must have : server { ... ssl_client_certificate path-to-my-trustyed-cas-for-client-auth.pem; ssl_verify_client on|optional_no_ca; ssl_verify_depth 2; ... location / { ... proxy_set_header ssl-client-cert $ssl_client_escaped_cert; ... } Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation

Since:

10/09/2018

Version:

$Revision: 1 $

Author:

Arnault MICHEL

Field Summary
- Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
  certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader

Constructor Summary

Constructors
Constructor and Description
`NginxProxySslClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, KeycloakSession kcsession)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`X509Certificate[]`	`buildChain(X509Certificate end_user_auth_cert)` As NGINX cannot actually send the CA Chain in http header(s), we are rebuilding here the end user certificate chain with Keycloak truststore.
`X509Certificate[]`	`convertCertPathtoX509CertArray(CertPath certPath)`
`protected X509Certificate`	`decodeCertificateFromPem(String pem)` Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.
`X509Certificate[]`	`getCertificateChain(org.jboss.resteasy.spi.HttpRequest httpRequest)` Returns a client certificate, and optionally any certificates in the certificate chain.
`boolean`	`loadKeycloakTrustStore(KeycloakSession kcsession)` Loading truststore @ first login

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
close, getCertificateFromHttpHeader

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - NginxProxySslClientCertificateLookup
```
public NginxProxySslClientCertificateLookup(String sslCientCertHttpHeader,
                                            String sslCertChainHttpHeaderPrefix,
                                            int certificateChainLength,
                                            KeycloakSession kcsession)
```
- Method Detail
  - decodeCertificateFromPem
```
protected X509Certificate decodeCertificateFromPem(String pem)
                                            throws PemException
```
    Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.
    
    Specified by:
    
    decodeCertificateFromPem in class AbstractClientCertificateFromHttpHeadersLookup
    
    Throws:
    
    PemException
  - getCertificateChain
```
public X509Certificate[] getCertificateChain(org.jboss.resteasy.spi.HttpRequest httpRequest)
                                      throws GeneralSecurityException
```
    Description copied from interface: X509ClientCertificateLookup
    
    Returns a client certificate, and optionally any certificates in the certificate chain.
    
    Specified by:
    
    getCertificateChain in interface X509ClientCertificateLookup
    
    Overrides:
    
    getCertificateChain in class AbstractClientCertificateFromHttpHeadersLookup
    
    Returns:
    
    Throws:
    
    GeneralSecurityException
  - buildChain
```
public X509Certificate[] buildChain(X509Certificate end_user_auth_cert)
```
    As NGINX cannot actually send the CA Chain in http header(s), we are rebuilding here the end user certificate chain with Keycloak truststore.
    Please note that Keycloak truststore must contain root and intermediate CA's certificates.
    
    Parameters:
    
    end_user_auth_cert -
    
    Returns:
  - convertCertPathtoX509CertArray
```
public X509Certificate[] convertCertPathtoX509CertArray(CertPath certPath)
```
  - loadKeycloakTrustStore
```
public boolean loadKeycloakTrustStore(KeycloakSession kcsession)
```
    Loading truststore @ first login
    
    Parameters:
    
    kcsession -
    
    Returns:

Class NginxProxySslClientCertificateLookup

Field Summary

Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

Constructor Summary

Method Summary

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

Methods inherited from class java.lang.Object

Constructor Detail

NginxProxySslClientCertificateLookup

Method Detail

decodeCertificateFromPem

getCertificateChain

buildChain

convertCertPathtoX509CertArray

loadKeycloakTrustStore