hslatman
commented
1 year ago Implementing support for the HTTP Client-Cert header might be the way to go.
Open henryreed opened 1 year ago
hslatman
commented
1 year ago Implementing support for the HTTP Client-Cert header might be the way to go.
henryreed
commented
1 year ago Per the issue the linked issue in Caddy, yes, I believe that is the way to go.
Description
Caddy is a relatively new web server. To support Caddy as a reverse proxy provider for client certificate authentication, the Keycloak team will need to add support for Base64-encoded DER certificates. As of right now, Keycloak only supports PEM files.
Discussion
No response
Motivation
While Caddy is a new web server, it is not uncommon. Caddy has been used by Cloudflare in their implementation of their MITM protection service; separately, Let's Encrypt considers Caddy's "implementation of ACME to be the gold standard of ACME clients," per Wikipedia. Supporting Caddy would be a great addition to Keycloak as more enterprises consider Caddy for their web server needs.
Details
Per the lead developer, Caddy will not support passing PEM-formatted certificates in HTTP headers, and instead only supports B64-encoded DERs; therefore, the standard Apache, Nginx and HAProxy provider options do not work with Caddy. Caddy also does not automatically construct a certificate chain when passing a client certificate, similar to how Nginx currently works (Keycloak documentation mentions this here under "Configuring the NGINX provider").
My ask is to add Caddy as a reverse proxy provider. This would be nearly identical to the Nginx provider, except Keycloak must accept B64'ed DER certificates. As of right now, if a DER certificate is passed to Keycloak via Caddy, the following error occurs, as the format lacks the expected new line characters: