x.509 Client Authentication with Keycloak and mod_auth_openidc

[fostermi]

Keycloak can support user authentication via x.509 Client Certificate verification. And supposedly this can be done when using a Reverse Proxy in front of Keycloak if Keycloak is not exposed directly with SSL, that can verify the certificate and then pass it along to Keycloak in an HTTP header for Keycloak to parse for the subject's email and approve authentication. I'm trying to use an Apache server as the RP, and still use mod_auth_openidc to handle the redirection to Keycloak for authentication, but mod_auth_openidc doesn't seem to be forwarding the Request Header set by Apache.

Omitting any other OIDC config, I'm doing something like this:

<Location "/">
    AuthType openid-connect
    Require valid-user
    SSLVerifyClient require
    SSLVerifyDepth 1
    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
    RequestHeader set SSL_CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_0}s"
</Location>

In the Keycloak logs I see: HTTP header "LASP_AUTH_SSL_CLIENT_CERT" is empty.

Can mod_auth_openidc be configured to forward headers other than 'X-Forwarded-*'? Has anyone used this combination of Apache+mod_auth_openidc+x.509 client auth?

[zandbelt]

this does not have anything to do with mod_auth_openidc; make sure you use ExportCertData in SSLOptions and check for the header SSL_CLIENT_CERT (not LASP_AUTH_SSL_CLIENT_CERT)

[fostermi]

Ah, I now realize that I need the RP in front of Keycloak doing the client cert auth since its a browser connection not a back-channel of any kind or related to any mod_auth_openidc protected URL. Thanks.