This demo will show you how to use the X509 Client Authenticator.
-
At first, compile your own Keycloak version (this feature has not been released yet).
-
Generate certificates and keystores using
scripts/create_certs.shfile. -
Copy
scripts/*into$KEYCLOAK_HOME/standalone/configuration. -
Configure Mututal TLS using
cli/configure-tls.cliscript (jboss-cli.sh --connect --file=configure-tls.cli). -
Create a new Client in the Keycloak UI with X509 Certificate
-
For Subject DN use:
CN=localhost, OU=Keycloak, O=JBoss, L=Red Hat, ST=World, C=WW. -
Get a token using the newly created client:
curl --cacert server-cert.pem --cert server-keystore.p12 -v --data "username=admin&password=admin&grant_type=password" https://localhost:8443/auth/realms/master/protocol/openid-connect/token\?client_id\=testor
curl --cacert server-cert.pem --cert server-keystore.p12 -v --data "client_id=test&username=admin&password=admin&grant_type=password" https://localhost:8443/auth/realms/master/protocol/openid-connect/tokenThat’s it!