java.lang.Object
- org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
- - org.keycloak.services.x509.NginxProxyTrustedClientCertificateLookup

All Implemented Interfaces:

Provider, X509ClientCertificateLookup
```
public class NginxProxyTrustedClientCertificateLookup
extends AbstractClientCertificateFromHttpHeadersLookup
```
The NGINX Trusted Provider verify extract end user X.509 certificate sent during TLS mutual authentication, verifies it against provided CA the and forwarded in an HTTP header along with a new header ssl-client-verify: SUCCESS. NGINX configuration must have : server { ... ssl_client_certificate path-to-trusted-ca.crt; ssl_verify_client on|optional; ssl_verify_depth 2; ... location / { ... proxy_set_header ssl-client-cert $ssl_client_escaped_cert; ... } Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation

Since:

01/09/2022

Version:

$Revision: 1 $

Author:

Youssef El Houti

Field Summary
- Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
  certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader

Constructor Summary

Constructors
Constructor	Description
`NginxProxyTrustedClientCertificateLookup(String sslCientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected X509Certificate`	`decodeCertificateFromPem(String pem)`
`protected X509Certificate`	`getCertificateFromHttpHeader(HttpRequest request, String httpHeader)`

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
close, getCertificateChain

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

NginxProxyTrustedClientCertificateLookup

public NginxProxyTrustedClientCertificateLookup(String sslCientCertHttpHeader,
                                                String sslCertChainHttpHeaderPrefix,
                                                int certificateChainLength)

Method Detail

getCertificateFromHttpHeader

protected X509Certificate getCertificateFromHttpHeader(HttpRequest request,
                                                       String httpHeader)
                                                throws GeneralSecurityException

Overrides:: getCertificateFromHttpHeader in class AbstractClientCertificateFromHttpHeadersLookup
Throws:: GeneralSecurityException

decodeCertificateFromPem

protected X509Certificate decodeCertificateFromPem(String pem)
                                            throws PemException

Specified by:: decodeCertificateFromPem in class AbstractClientCertificateFromHttpHeadersLookup
Throws:: PemException

Class NginxProxyTrustedClientCertificateLookup

Field Summary

Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

Constructor Summary

Method Summary

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

Methods inherited from class java.lang.Object

Constructor Detail

NginxProxyTrustedClientCertificateLookup

Method Detail

getCertificateFromHttpHeader

decodeCertificateFromPem