Skip to content

Add https-client-auth configuration to Keycloak deployments #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
akostadinov wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add https-client-auth configuration to Keycloak deployments #62

akostadinov wants to merge 1 commit into from

Conversation

@akostadinov
Copy link

@akostadinov akostadinov commented Nov 10, 2025

Configure all Keycloak deployments (RHBK, RHSSO, and keycloak-deployment) to request client certificates for HTTPS connections by adding the https-client-auth=request option. This enables mutual TLS authentication when clients provide certificates.

🤖 Generated with Claude Code

Needs to be tested first!

@akostadinov @claude
Add https-client-auth configuration to Keycloak deployments
f5b88ec 
Configure all Keycloak deployments (RHBK, RHSSO, and keycloak-deployment)
to request client certificates for HTTPS connections by adding the
https-client-auth=request option. This enables mutual TLS authentication
when clients provide certificates.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@mdujava
Copy link
Member

mdujava commented Nov 10, 2025

Cant this be set up per realm? This will break existing tests

@akostadinov
Copy link
Author

akostadinov commented Nov 10, 2025

This is a setting on the TLS level to request a client certificate optionally. At the moment of TLS connection, there is no way to know what realm the client would be accessing.

Presently ssl-rhbk has the setting and it doesn't appear to break any functionality, only now MTLS is possible to configure.

@mdujava
Copy link
Member

mdujava commented Nov 11, 2025

Ok, just tested make tests disruptive and I can confirm that no problems occurred. I will approve and merge after make ui, rhsso change does not make any difference as now rhsso is not deployed with ssl/cert just no-ssl route

@akostadinov
Copy link
Author

akostadinov commented Nov 11, 2025

I think it is alright to keep the option in case it gets deployed with a TLS endpoint at some point. But let me know if you want this removed.

@akostadinov
Copy link
Author

akostadinov commented Nov 11, 2025

Also if you have the tools running somewhere, pls let me know so I see that the changes are in fact properly in effect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akostadinov @mdujava