Support for x509 authentication

[moritzschmitz-oviva]

Problem Statement

The /admin path in our Keycloak instance is exposed to the public. Some of our admin users require access to the admin console. keycloak-config-cli is accessing Keycloak through an internal path though.

To add a layer of security, all our admin accounts use 2FA, but this constraint blocks us from using keycloak-config-cli.

Since Keycloak supports x509 client authentication I would like to see keycloak-config-cli to support it. It would allow keycloak-config-cli to use a secure communications channel and would be a safe workaround for the 2FA requirement (in our use case).

Proposed Solution

Implement four new flags (following the flags from: https://www.keycloak.org/server/enabletls):

--key-store-file
--key-store-file-password
--trust-store-file
--trust-store-password

If they are set, use certificates to communicate with the Keycloak instance.

Looking at the implementation on Keycloak side it looks easy with Quarkus. Not so sure about the JBoss library used here.

Environment

• Keycloak Version: [22.0.5]
• keycloak-config-cli Version: [5.9.0]

Additional information

No response

Acceptance Criteria

• [] as a user I want to be able to configure x509 client authentication
• [] as a user I want to be able to provide the certificates for x509 client authentication

[NiC0x36]

We have the same issue. A solution would be much appreciated, as our admin accounts use 2FA also.