Reverse proxy from NGINX to Keycloak with 2FA

Francis Daly francis at
Fri May 4 13:22:08 UTC 2018

On Thu, May 03, 2018 at 07:42:01AM -0400, Joncheski wrote:

Hi there,

> I have tried with tcp port forwarder ("stream") but my host is changed to
> the client's url, which directly sends me to Keycloak, which I do not want
> to have direct access to Keycloak, so I use proxy.

The end-client must not talk to Keycloak. Ok.

Keycloak wants to get the client certificate, and some indication that
the connecting client has the private key that is associated with the

(Effectively, the certificate is "the username", and the private key is
"the password".)

Normally, Keycloak would be able to verify that the client has the
matching private key, because the ssl connection between Keycloak and
the client would demonstrate that.

You do not want that to happen.

So you must configure Keycloak (if it is possible) to believe nginx when
it says that this client has the private key that matches the included
certificate (because nginx used the ssl connection between nginx and
the client to demonstrate that).

> Keycloak has been configured to verify a client certificate that needs its
> CN to be identically with the username you enter, normally have keystore and
> truststore installed to check from whom it was issued and signed (which is
> associated with Key Management System for whether it is invalid or revoke).

Nginx can give the client certificate to Keycloak, and Keycloak can
confirm that the certificate was issued by the correct Certificate
Authority, and can check whatever it wants about the CN. But Keycloak
cannot directly confirm that the client has the matching private key --
it must be told to believe nginx when nginx says that the client has
the matching private key.

> I have done it and can NGINX check the client certificate (I add these
> things:  ssl_client_certificate path-of-root-ca, and ssl_verify_client on),

Yes, nginx could check that (but it probably does not need to, if Keycloak
will be checking it anyway).

> whether it has been issued and signed by my PKI Key Management System, but
> the problem is that the user can submit a certificate from one user, and in
> Keycloak to announce with another. I want to stop this thing, so I have a
> full 2FA. Keycloak is the only one to check it.

I don't understand what you mean there.

That's ok; I don't have to understand. So long as you are happy that it
makes sense to you, that's good enough.

> I want to ask you, can the client certificate that is attached to NGINX
> through the ssl_verify_client option be forwarded to Keycloak?


The contents of the certificate is accessible through the $ssl_client_cert

You can tell nginx to include that variable in a http header, for
example, that you tell Keycloak to read and believe that the client has
the matching private key.

The whole thing cannot be done without configuration within Keycloak.

Francis Daly        francis at

More information about the nginx mailing list