Package org.keycloak.services.x509
Class NginxProxyTrustedClientCertificateLookup
- java.lang.Object
-
- org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
-
- org.keycloak.services.x509.NginxProxyTrustedClientCertificateLookup
-
- All Implemented Interfaces:
Provider
,X509ClientCertificateLookup
public class NginxProxyTrustedClientCertificateLookup extends AbstractClientCertificateFromHttpHeadersLookup
The NGINX Trusted Provider verify extract end user X.509 certificate sent during TLS mutual authentication, verifies it against provided CA the and forwarded in an HTTP header along with a new header ssl-client-verify: SUCCESS. NGINX configuration must have :server { ... ssl_client_certificate path-to-trusted-ca.crt; ssl_verify_client on|optional; ssl_verify_depth 2; ... location / { ... proxy_set_header ssl-client-cert $ssl_client_escaped_cert; ... }
Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation- Since:
- 01/09/2022
- Version:
- $Revision: 1 $
- Author:
- Youssef El Houti
-
-
Field Summary
-
Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader
-
-
Constructor Summary
Constructors Constructor Description NginxProxyTrustedClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected X509Certificate
decodeCertificateFromPem(String pem)
protected X509Certificate
getCertificateFromHttpHeader(HttpRequest request, String httpHeader)
-
Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
close, getCertificateChain
-
-
-
-
Method Detail
-
getCertificateFromHttpHeader
protected X509Certificate getCertificateFromHttpHeader(HttpRequest request, String httpHeader) throws GeneralSecurityException
- Overrides:
getCertificateFromHttpHeader
in classAbstractClientCertificateFromHttpHeadersLookup
- Throws:
GeneralSecurityException
-
decodeCertificateFromPem
protected X509Certificate decodeCertificateFromPem(String pem) throws PemException
- Specified by:
decodeCertificateFromPem
in classAbstractClientCertificateFromHttpHeadersLookup
- Throws:
PemException
-
-