In this article Janua’s CTO share tips and tricks about Keycloak X509 Certificate Authentication.

1. Overview

The goal is to explain how it is possible to authenticate user against keycloak applications using client certificates.

This can be very useful in case of direct access grant, where the user want to authenticate against keycloak using REST API.

Direct Access Grant is the only oauth2/openid flow which allows to perform REST API calls. But, unfortunately, this flow is not secured, as the user credentials are exposed as it is on the wire.

Keycloak X509 Certificate Authentication
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded


grant_type=password&username=johndoe&password=A3ddj3w

2. Drawback of direct access grant Oauth2 code flow

As can be seen above, the direct access grant flow, expose directly the user credentials on the wire (username/password) making such an invocation quite vulnerable to MITM attacks (man in the middle attacks)

This type of flow is a major security breach.

3. Keycloak using X509 certificate

It is possible with keycloak to define a new authentication flow similar to direct access, called X509 direct access,based on certificates.

This authentication flow is very secure, as there is no password transiting on the wire.

Like this, it is possible to authenticate a user against keycloak using directly the user certificate.

Example:

curl –insecure
https://localhost:8593/auth/realms/master/protocol/openid-connect/token \
-H ‘Authorization: Basic YXBwLWpzcDpmN2M3MjUyNC0yYzZjLTRiMTEtOGRiNS1hNWQ0ZTBlN2Q1Zjg=’
-H ‘content-type: application/x-www-form-urlencoded’ \
-d ‘grant_type=password’
-E /home/orivat/dev/keycloak/x509_auth/openssl_tests/user1.crt \
–key /home/orivat/dev/keycloak/x509_auth/openssl_tests/user1.key

Enter PEM pass phrase:


{« access_token »: »eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmMjladkc0eXBxMWo2RENnYzk0QzZKMDIwZTdYX1J5MExxMTNoejdCdTAwIn0.eyJqdGkiOiI1YjA0Yzg1Ni1hM2U1LTQ4MmUtOTRhYy1lNTc5OGY4NDVkNjQiLCJleHAiOjE1NjM4OTE0NT
……
………
MsIm5iZiI6MCwiaWF0IjoxNTYzODkxMzkzLCJpc3MiOiJodHRwczovL2xvY2FsaG9zdDoLCJzY29wZSI6InByb2ZpbGUgZW1haWwifQ.xzOu6GUpLTMWDOXEntNoaecL2PNNEkqbbiU8DVRTGlE », »token_type »: »bearer », »not-before-policy »:1563886376, »session_state »: »4625130d-5018-484e-bb88-75c7a982e164″, »scope »: »profile email »}

4. Deployement

For any possible deployement of this specific X509 authentication flow customization , don’t hesitate to contact us.

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat

Les derniers articles par Olivier Rivat (tout voir)