Package org.keycloak.services.x509
Class NginxProxySslClientCertificateLookup
- java.lang.Object
-
- org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
-
- org.keycloak.services.x509.NginxProxySslClientCertificateLookup
-
- All Implemented Interfaces:
Provider,X509ClientCertificateLookup
public class NginxProxySslClientCertificateLookup extends AbstractClientCertificateFromHttpHeadersLookup
The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication, and forwarded in an http header. NGINX configuration must have :server { ... ssl_client_certificate path-to-my-trustyed-cas-for-client-auth.pem; ssl_verify_client on|optional_no_ca; ssl_verify_depth 2; ... location / { ... proxy_set_header ssl-client-cert $ssl_client_escaped_cert; ... }Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation- Since:
- 10/09/2018
- Version:
- $Revision: 1 $
- Author:
- Arnault MICHEL
-
-
Field Summary
-
Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader
-
-
Constructor Summary
Constructors Constructor Description NginxProxySslClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, KeycloakSession kcsession)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description X509Certificate[]buildChain(X509Certificate end_user_auth_cert)As NGINX cannot actually send the CA Chain in http header(s), we are rebuilding here the end user certificate chain with Keycloak truststore.X509Certificate[]convertCertPathtoX509CertArray(CertPath certPath)protected X509CertificatedecodeCertificateFromPem(String pem)Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.X509Certificate[]getCertificateChain(org.jboss.resteasy.spi.HttpRequest httpRequest)Returns a client certificate, and optionally any certificates in the certificate chain.booleanloadKeycloakTrustStore(KeycloakSession kcsession)Loading truststore @ first login-
Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
close, getCertificateFromHttpHeader
-
-
-
-
Constructor Detail
-
NginxProxySslClientCertificateLookup
public NginxProxySslClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, KeycloakSession kcsession)
-
-
Method Detail
-
decodeCertificateFromPem
protected X509Certificate decodeCertificateFromPem(String pem) throws PemException
Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.- Specified by:
decodeCertificateFromPemin classAbstractClientCertificateFromHttpHeadersLookup- Throws:
PemException
-
getCertificateChain
public X509Certificate[] getCertificateChain(org.jboss.resteasy.spi.HttpRequest httpRequest) throws GeneralSecurityException
Description copied from interface:X509ClientCertificateLookupReturns a client certificate, and optionally any certificates in the certificate chain.- Specified by:
getCertificateChainin interfaceX509ClientCertificateLookup- Overrides:
getCertificateChainin classAbstractClientCertificateFromHttpHeadersLookup- Returns:
- Throws:
GeneralSecurityException
-
buildChain
public X509Certificate[] buildChain(X509Certificate end_user_auth_cert)
As NGINX cannot actually send the CA Chain in http header(s), we are rebuilding here the end user certificate chain with Keycloak truststore.
Please note that Keycloak truststore must contain root and intermediate CA's certificates.- Parameters:
end_user_auth_cert-- Returns:
-
convertCertPathtoX509CertArray
public X509Certificate[] convertCertPathtoX509CertArray(CertPath certPath)
-
loadKeycloakTrustStore
public boolean loadKeycloakTrustStore(KeycloakSession kcsession)
Loading truststore @ first login- Parameters:
kcsession-- Returns:
-
-