Package org.keycloak.services.x509
Class TraefikProxySslClientCertificateLookup
java.lang.Object
org.keycloak.services.x509.TraefikProxySslClientCertificateLookup
- All Implemented Interfaces:
Provider,X509ClientCertificateLookup
public class TraefikProxySslClientCertificateLookup
extends Object
implements X509ClientCertificateLookup
The provider allows to extract X.509 client certificates forwarded
to the Keycloak middleware configured behind a Traefik reverse proxy
using the PassTLSClientCert middleware with
pem: true.
Traefik's PassTLSClientCert middleware (with pem: true) forwards the client
certificate and any intermediate CA certificates as URL-encoded PEM blocks
in the X-Forwarded-Tls-Client-Cert HTTP header, separated by commas.
Example Traefik configuration:
[http.middlewares.my-tls-client-cert.passTLSClientCert]
[http.middlewares.my-tls-client-cert.passTLSClientCert.pem]
pem = true
- See Also:
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidclose()getCertificateChain(HttpRequest httpRequest) Returns a client certificate, and optionally any certificates in the certificate chain.
-
Field Details
-
certificateChainLength
protected int certificateChainLength
-
-
Constructor Details
-
TraefikProxySslClientCertificateLookup
public TraefikProxySslClientCertificateLookup(int certificateChainLength)
-
-
Method Details
-
getCertificateChain
public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws GeneralSecurityException Description copied from interface:X509ClientCertificateLookupReturns a client certificate, and optionally any certificates in the certificate chain.IMPORTANT: implementations should ensure that the source of the certificate is trusted. See for example the
HttpRequest.isProxyTrusted()method.- Specified by:
getCertificateChainin interfaceX509ClientCertificateLookup- Returns:
- Throws:
GeneralSecurityException
-
close
public void close()
-