1

I have an HAProxy as a reverse proxy to my application which has x509 authentication. HAProxy does X509 validation (client certificate based) and and add the certificate back to request header SSL_CLIENT_CERT. Now I want to identify the user from the certificate using Keycloak. I have Keycloak authentication flow as given in doc and my haproxy config is as follows

frontend http-frontend
    bind *:8888
    bind *:8888 transparent ssl crt /etc/x509/https/haproxy.pem ca-file /etc/x509/https/myCA.pem verify required
    http-request redirect scheme https if !{ ssl_fc }
    http-request set-header SSL_CLIENT_CERT %[ssl_c_der,base64]
    default_backend app1

backend app1
    server server1 host.docker.internal:8443/auth/realms/ng/protocol/openid-connect/auth ssl verify none
  1. What should be the Keycloak url to be forwarded from HAProxy?
  2. Is CERT_CHAIN header mandatory (if yes, how to get it. ssl_c_der contains server cert with issuer. Should I split them?)
  3. After user is extracted, will Keycloak redirect to the url in client. If yes, how do I mention a client name in HAProxy?
  4. What should be the settings for that specific `client' ? (oidc/public/standard-flow)
  5. After the redirect, how will the application get the access token?

I also tried to forward the request to web app from HAProxy and try to login via authorisation-code flow. But Keycloak throws an error may be because, I have only x509 username form execution in the custom browser auth flow.

Winster
  • 943
  • 10
  • 28
  • Any luck with this? I'm trying to pass client cert and CA thru http headers, per Keycloak docs, but keycloak is not recognizing the headers, it seems. I've tried manually adding CERT_CHAIN_* values by hard-coding the cert into haproxy config but still no luck. Keycloak logs don't give much info other than 'invalid user'... so it's not clear if there's a problem using the http headers or it's a config/CA bundle issue. – Luke W May 15 '21 at 20:39
  • see if https://github.com/winster/springsecurity-keycloak helps you. – Winster May 17 '21 at 11:49
  • @LukeW Did you ever figure out how this works? – shxpark Oct 31 '21 at 18:19
  • @shxpark My particular issue is that i was using keycloak's standalone.xml instead of standalone-ha.xml. Once i realized this, and updated the http header name used for getting the ssl cert, it worked. i did not need to use CERT_CHAIN. Other than that, i just used the jboss/keycloak docker hub image and followed the KC server docs. – Luke W Nov 01 '21 at 15:13
  • @LukeW Would you mind sharing your haproxy.cfg file? My proxy isn't requesting the client cert. and I can't figure out why. – shxpark Nov 03 '21 at 19:27
  • `http-request set-header SSL_CLIENT_CERT %{+Q}[ssl_c_der,base64]` @shxpark – Luke W Nov 03 '21 at 19:38

0 Answers0