Authentication with client certificat with Keycloak #1221
Description
Describe the question
First of all, thank you very much for this great project that works extremely well ❤️ I have been testing it intensively for several weeks now 🚀
The connection via Keycloak with a user of a realm works perfectly, coupled with RBAC, I can give the rights that suit me.
I would like to add a layer of security by requiring users to have a client certificate to authenticate in addition to the identifier and password.
In the documentation, a priori it is not possible to pass a client certificate to Keycloak to authenticate, even through the oidc-auth-request-extra-params parameter I have not found how to do it.
So my question is simple, is it possible for kubelogin to provide, during its request to Keycloak, a client certificate that will be part of the authentication?
To reproduce
Configure Keycloak to have X509 authentification:
- Added the X509_CA_BUNDLE environment variable in the container. This variable points to the CA used for the client certificate
- Create an X509 realm
- Configure all requests in HTTPS
- Copy the Browser flow to "X509 Browser"
- Modify the "X509 Browser" flow
- Delete unwanted steps (Kerberos, identity Providers...)
- Add X509 Validate Username Form
- Configure X509 Validate Username Form (alternative, identity source email, mapping method username or email)
- Modify the binding
- Create a user with or without credential (it didn't work for both)
My Kubeconfig:
- name: tony
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://keycloak.test/realms/x509
- --oidc-client-id=test
- --username=tonystark
- --token-cache-dir=~/.kube/cache/oidc-login/tony@kind-poc-newyear
command: kubectl
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
Your environment
- OS: Debian (under WSL)
- kubelogin version: e.g. v1.31.0
- kubectl version: e.g. v1.31.1
- OpenID Connect provider: Keycloak