Package org.keycloak.services.x509

Class NginxProxySslClientCertificateLookup

java.lang.Object

org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

org.keycloak.services.x509.NginxProxySslClientCertificateLookup

All Implemented Interfaces:

Provider, X509ClientCertificateLookup

public class NginxProxySslClientCertificateLookup
extends AbstractClientCertificateFromHttpHeadersLookup

The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication, and forwarded in an http header. NGINX configuration must have : server { ... ssl_client_certificate path-to-my-trustyed-cas-for-client-auth.pem; ssl_verify_client on|optional_no_ca; ssl_verify_depth 2; ... location / { ... proxy_set_header ssl-client-cert $ssl_client_escaped_cert; ... } Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation

Since:

10/09/2018

Version:

$Revision: 1 $

Author:

Arnault MICHEL

Field Summary

Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader

Constructor Summary

Constructors

Constructor	Description
NginxProxySslClientCertificateLookup(String sslClientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, Set<X509Certificate> intermediateCerts, Set<X509Certificate> trustedRootCerts, boolean isTruststoreLoaded, boolean certIsUrlEncoded)

Method Summary

Modifier and Type	Method	Description
protected void	buildChain(HttpRequest httpRequest, List<X509Certificate> chain, X509Certificate clientCert)
protected X509Certificate	decodeCertificateFromPem(String pem)	Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

close, getCertificateChain, getCertificateFromHttpHeader

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

NginxProxySslClientCertificateLookup

public NginxProxySslClientCertificateLookup(String sslClientCertHttpHeader,
 String sslCertChainHttpHeaderPrefix,
 int certificateChainLength,
 Set<X509Certificate> intermediateCerts,
 Set<X509Certificate> trustedRootCerts,
 boolean isTruststoreLoaded,
 boolean certIsUrlEncoded)

Method Details

decodeCertificateFromPem

protected X509Certificate decodeCertificateFromPem(String pem)
                                            throws PemException

Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.

Specified by:

decodeCertificateFromPem in class AbstractClientCertificateFromHttpHeadersLookup

Throws:

PemException

buildChain

protected void buildChain(HttpRequest httpRequest,
 List<X509Certificate> chain,
 X509Certificate clientCert)

Overrides:

buildChain in class AbstractClientCertificateFromHttpHeadersLookup