In this article Janua’s CTO share tips and tricks about Keycloak X509 Certificate Authentication.

1. Overview

The goal is to explain how it is possible to authenticate user against keycloak applications using client certificates.

This can be very useful in case of direct access grant, where the user want to authenticate against keycloak using REST API.

Direct Access Grant is the only oauth2/openid flow which allows to perform REST API calls. But, unfortunately, this flow is not secured, as the user credentials are exposed as it is on the wire.

Keycloak X509 Certificate Authentication
POST /token HTTP/1.1
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded


2. Drawback of direct access grant Oauth2 code flow

As can be seen above, the direct access grant flow, expose directly the user credentials on the wire (username/password) making such an invocation quite vulnerable to MITM attacks (man in the middle attacks)

This type of flow is a major security breach.

3. Keycloak using X509 certificate

It is possible with keycloak to define a new authentication flow similar to direct access, called X509 direct access,based on certificates.

This authentication flow is very secure, as there is no password transiting on the wire.

Like this, it is possible to authenticate a user against keycloak using directly the user certificate.


curl –insecure
https://localhost:8593/auth/realms/master/protocol/openid-connect/token \
-H ‘Authorization: Basic YXBwLWpzcDpmN2M3MjUyNC0yYzZjLTRiMTEtOGRiNS1hNWQ0ZTBlN2Q1Zjg=’
-H ‘content-type: application/x-www-form-urlencoded’ \
-d ‘grant_type=password’
-E /home/orivat/dev/keycloak/x509_auth/openssl_tests/user1.crt \
–key /home/orivat/dev/keycloak/x509_auth/openssl_tests/user1.key

Enter PEM pass phrase:

{« access_token »: »eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmMjladkc0eXBxMWo2RENnYzk0QzZKMDIwZTdYX1J5MExxMTNoejdCdTAwIn0.eyJqdGkiOiI1YjA0Yzg1Ni1hM2U1LTQ4MmUtOTRhYy1lNTc5OGY4NDVkNjQiLCJleHAiOjE1NjM4OTE0NT
MsIm5iZiI6MCwiaWF0IjoxNTYzODkxMzkzLCJpc3MiOiJodHRwczovL2xvY2FsaG9zdDoLCJzY29wZSI6InByb2ZpbGUgZW1haWwifQ.xzOu6GUpLTMWDOXEntNoaecL2PNNEkqbbiU8DVRTGlE », »token_type »: »bearer », »not-before-policy »:1563886376, »session_state »: »4625130d-5018-484e-bb88-75c7a982e164″, »scope »: »profile email »}

4. Deployement

For any possible deployement of this specific X509 authentication flow customization , don’t hesitate to contact us.

Les derniers articles par janua (tout voir)