Package org.keycloak.services.x509

Class EnvoyProxySslClientCertificateLookup

java.lang.Object
org.keycloak.services.x509.EnvoyProxySslClientCertificateLookup
All Implemented Interfaces:
Provider, X509ClientCertificateLookup
public class EnvoyProxySslClientCertificateLookup extends Object implements X509ClientCertificateLookup

  • Field Details

  • Constructor Details

    • EnvoyProxySslClientCertificateLookup

      public EnvoyProxySslClientCertificateLookup()

  • Method Details

    • close

      public void close()
      Specified by:
      close in interface Provider

    • getCertificateChain

      public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws GeneralSecurityException
      Extracts the client certificate chain from the HTTP request forwarded by Envoy. Envoy encodes the client certificate and the certificate chain in the header in following format: x-forwarded-client-cert: key1="url encoded value 1";key2="url encoded value 2";... Following keys are supported by this implementation: 1. Cert - The entire client certificate in URL encoded PEM format. 2. Chain - The entire client certificate chain (including the leaf certificate) in URL encoded PEM format. For Envoy documentation, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert
      Specified by:
      getCertificateChain in interface X509ClientCertificateLookup
      Parameters:
      httpRequest - The HTTP request forwarded by Envoy.
      Returns:
      The client certificate chain extracted from the HTTP request.
      Throws:
      GeneralSecurityException