Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support keystore configuration for mutual TLS in oidc and oidc-client #19634

Closed
famod opened this issue Aug 24, 2021 · 6 comments · Fixed by #23145
Closed

Support keystore configuration for mutual TLS in oidc and oidc-client #19634

famod opened this issue Aug 24, 2021 · 6 comments · Fixed by #23145
Assignees
@sberyozkin
Labels
area/oidc kind/enhancement New feature or request
Milestone
2.7.0.Final

Comments

@famod
Copy link
Member

famod commented Aug 24, 2021

Description

#18012 added trust store support and we discussed key store support for client auth/mutual TLS.

This issue shall prevent that enhancement from falling through the cracks.

/cc @sberyozkin

Implementation ideas

No response
@famod famod added the kind/enhancement New feature or request label Aug 24, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Aug 24, 2021

/cc @pedroigor, @sberyozkin

@sberyozkin
Copy link
Member

sberyozkin commented Aug 25, 2021
edited
Loading

@famod This issue is a duplicate of #4447 - which was created a long time ago - and no one has seen a requirement to talk to Keycloak using the MTLS connection. Please close one of these issues as a duplicate, perhaps we could keep this one as it is the more recent one, thanks

@famod famod mentioned this issue Aug 25, 2021
Closed
@famod
Copy link
Member Author

famod commented Aug 25, 2021

@sberyozkin thanks for pointing that out! I closed the other issue as you suggested.

@sberyozkin
Copy link
Member

@famod, by the way, if you need a way to avoid sending a client secret over the wire then you can use the client JWT authentication - is is all supported:
https://quarkus.io/guides/security-openid-connect-web-authentication#oidc-provider-client-authentication
I'm not sure what is the case for client MTLS authentication given that the JWT authentication is totally secure and does not leak the secrets on the wire. As far as the actual communication with KC is concerned, no sensitive data is flowing on the wire - the public keys are retrieved, and tokens are returned and rarely introspected

@argenstijn
Copy link

I surely would like to see support for this.

I'm not sure what is the case for client MTLS authentication given that the JWT authentication is totally secure and does not leak the secrets on the wire
Here you assume you have control over the server you call. But many don't and it is a requirement to use MTLS.
In my case it;s just how the third party server is implemented. Changing the third part server is out of our reach.

So please support this :)

@sberyozkin sberyozkin self-assigned this Jan 17, 2022
@sberyozkin
Copy link
Member

@argenstijn, sorry for a delay - I've noticed your comment only today.

Here you assume you have control over the server you call. But many don't and it is a requirement to use MTLS.

Makes sense

@sberyozkin sberyozkin mentioned this issue Jan 24, 2022
Merged
@quarkus-bot quarkus-bot bot added this to the 2.8 - main milestone Jan 24, 2022
@gsmet gsmet modified the milestones: 2.8 - main, 2.7.0.Final Jan 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.7.0.Final
Development

Successfully merging a pull request may close this issue.

Support OIDC Mutual TLS sberyozkin/quarkus
4 participants
@argenstijn @sberyozkin @gsmet @famod