keycloak
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 37 additions & 1 deletion b/‎.github/workflows/test.yml‎
Lines changed: 37 additions & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 12 additions & 1 deletion b/‎.gitignore‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 35 additions & 0 deletions b/‎README.md‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎docker-compose-mtls.yml‎
Lines changed: 5 additions & 0 deletions b/‎docker-compose-mtls.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 5 additions & 1 deletion b/‎docker-compose.yml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎docs/index.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/index.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎helper/helpers.go‎
Lines changed: 36 additions & 0 deletions b/‎helper/helpers.go‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎keycloak/keycloak_client.go‎
Lines changed: 16 additions & 3 deletions b/‎keycloak/keycloak_client.go‎
Lines changed: 16 additions & 3 deletions
@@ -94,18 +94,30 @@ jobs:
           fi
           if [[ "${{ matrix.keycloak-version }}" == "26.3.4" || "${{ matrix.keycloak-version }}" == "26.2.5" ]]; then
             EXTRA_FEATURES=",admin-fine-grained-authz:v1"
+
+            EXTRA_HTTP_CLIENT_AUTH="-e KC_HTTPS_CLIENT_AUTH=required"
+            EXTRA_HTTPS_CERT="-e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/testdata/tls/server-cert.pem"
+            EXTRA_HTTPS_KEY="-e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/testdata/tls/server-key.pem"
+            EXTRA_MTLS_CERTS="-e KC_TRUSTSTORE_PATHS=/opt/keycloak/testdata/tls/ca-cert.pem,/opt/keycloak/testdata/tls/client-cert.pem"
           fi
 
           docker run -d --name keycloak \
           -p 8080:8080 \
+          -p 8443:8443 \
           -e KC_DB=dev-mem \
           -e KC_LOG_LEVEL=INFO,org.keycloak:debug \
           -e KEYCLOAK_ADMIN=keycloak \
           -e KEYCLOAK_ADMIN_PASSWORD=password \
+          -e KC_BOOTSTRAP_ADMIN_USERNAME=keycloak \
+          -e KC_BOOTSTRAP_ADMIN_PASSWORD=password \
+          ${EXTRA_HTTP_CLIENT_AUTH} \
+          ${EXTRA_HTTPS_CERT} \
+          ${EXTRA_HTTPS_KEY} \
+          ${EXTRA_MTLS_CERTS} \
           -e KC_FEATURES=preview${EXTRA_FEATURES} \
           -e QUARKUS_HTTP_ACCESS_LOG_ENABLED=true \
           -e QUARKUS_HTTP_RECORD_REQUEST_START_TIME=true \
-          -v $PWD/provider/misc:/opt/keycloak/misc:z \
+          -v $PWD/provider/testdata:/opt/keycloak/testdata:z \
           $MOUNT_FEDERATION_EXAMPLE_VOLUME \
           quay.io/keycloak/keycloak:${{ matrix.keycloak-version }} --verbose start-dev
 
@@ -130,9 +142,33 @@ jobs:
           KEYCLOAK_CLIENT_SECRET: 884e0f95-0f42-4a63-9b1f-94274655669e
           KEYCLOAK_CLIENT_TIMEOUT: 120
           KEYCLOAK_REALM: master
+          # for mtls client auth
           KEYCLOAK_URL: "http://localhost:8080"
           KEYCLOAK_TEST_PASSWORD_GRANT: "true"
           KEYCLOAK_VERSION: ${{ steps.keycloak-version.outputs.result }}
+
+        timeout-minutes: 60
+# Only run mtls test for the later versions
+      - name: Test (mtls client auth)
+        if: matrix.keycloak-version == '26.3.4' || matrix.keycloak-version == '26.2.5'
+        run: |
+          terraform version
+          go mod download
+          make testacc
+        env:
+          KEYCLOAK_CLIENT_ID: terraform
+          KEYCLOAK_CLIENT_SECRET: 884e0f95-0f42-4a63-9b1f-94274655669e
+          KEYCLOAK_CLIENT_TIMEOUT: 120
+          KEYCLOAK_REALM: master
+          # for mtls client auth
+          KEYCLOAK_URL: "https://localhost:8443"
+          KEYCLOAK_URL_HTTP: "http://localhost:8080"
+          KEYCLOAK_TLS_CLIENT_CERT: "-----BEGIN CERTIFICATE-----\nMIIFAjCCAuqgAwIBAgIUHeZgtpvLa35tBbH5DT92iPzan64wDQYJKoZIhvcNAQEL\nBQAwbTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu\na25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xFjAUBgNV\nBAMMDURldiBUZXN0IFJvb3QwHhcNMjUwOTIwMTkwMjU3WhcNMjcxMjI0MTkwMjU3\nWjBzMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHVW5rbm93bjEQMA4GA1UEBwwHVW5r\nbm93bjEQMA4GA1UECgwHVW5rbm93bjEQMA4GA1UECwwHVW5rbm93bjEcMBoGA1UE\nAwwTdHJ1c3RlZC1jbGllbnQtbXRsczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAKfvc1qWAfE39s4RuS81RfdwXT9buwr5RLASNfPW4vZKt/iy/L+nS+SG\nXYQQeMSreZQwunFtQJF5JhxXMC4tlgAyIn2r+59c+5+9C9cbKUypV4NxtUqSjLew\nvTEKs2bu2t2cax97RtUJzPoCeD8qVi+SkyJBU0mNR7tRS2zrh2NdPMg9sBMc2HmV\nOSZ86zLvn6vSmmP9AefXvA78S3Bkj3L+fhRfqWqxYI08j2TdtLpvrvzsnJ2rqYHO\nPjgSE7GE4tbPGtSLNQU4ziEmC8bt3mdqgMUG1lBG6JrBoVMVaqH3Z86ZQr94xz9W\nAmJk646sXRa+vQmx62HOicFrA/v/Z8UCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAeBgNVHREEFzAVghN0\ncnVzdGVkLWNsaWVudC1tdGxzMB0GA1UdDgQWBBSFE0oLAkwJBwyMCCoQJXvF6Jvg\nyTAfBgNVHSMEGDAWgBT459iaWRGzTBIdUHLFon1GSQUyoTANBgkqhkiG9w0BAQsF\nAAOCAgEAZKnvqPT3lnDuuG1lJKUiDr/3qkC5TZpDLsrLaglbSwiCPVNHLgE4oq0q\n5ktzNUNx6HTLfn3dAuyd+K63/Tc3hXHDGNHQnRPRhPHGxceCIGUC7Qiqwdi6BNpr\nXJPHqMbEYWq4YHNj9aA6UYr2opp1P3KikACurN4llssx/FgHAXNPs5lD7nCxPuA+\nu2yWE+Y7kzd9PasrgFThX5Blz18H9+O0ri3T5VnYyDZ1kdALx/BzZ6BaQQEkcuh5\nVz+ZXCTNe9mtG8cFdnJUaCL6u9J6D4DfhdW40J+ZX1VJ1223CZquDXjcUUyPZPMo\n5WlTlCYodmcXCk6wtaUZ6kgUvqV61hFrcgs7byHYAtjaweulqy51QNfJT5Qhm8y+\n6b+PkWX+Gb8HKH8ceGjpJ2BA73Rb1keew77zr1/XMVWhwO524DRrXqQ4YFpK4Q3i\n9ZGhuVJCZIXhG4K+S48x/Q9AXPQ87Yk7SGxk7+/keXIpxZZiwB1TMfdpOKPH7wT1\n4wNrhiKrK4t+fSMbMvbPtFRAWGKz+dS1KRZVcGqv5qt05NDesA3pzrR9Rbyl9G4A\n2uxAeH/RjzDI/9UHfYZSOoAvsLrul7ZzIpRWpSSaK0W8Pw2iNUArYTlTpzIUxeLP\nDH309xDpOXvRgKhri6zUQYfnGv5lA2m3LEH3cVqjhACRWMg7dkM=\n-----END CERTIFICATE-----\n"
+          KEYCLOAK_TLS_CLIENT_KEY: "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCn73NalgHxN/bO\nEbkvNUX3cF0/W7sK+USwEjXz1uL2Srf4svy/p0vkhl2EEHjEq3mUMLpxbUCReSYc\nVzAuLZYAMiJ9q/ufXPufvQvXGylMqVeDcbVKkoy3sL0xCrNm7trdnGsfe0bVCcz6\nAng/KlYvkpMiQVNJjUe7UUts64djXTzIPbATHNh5lTkmfOsy75+r0ppj/QHn17wO\n/EtwZI9y/n4UX6lqsWCNPI9k3bS6b6787Jydq6mBzj44EhOxhOLWzxrUizUFOM4h\nJgvG7d5naoDFBtZQRuiawaFTFWqh92fOmUK/eMc/VgJiZOuOrF0Wvr0JsethzonB\nawP7/2fFAgMBAAECggEAA0SaSWWokq8fcxHOjr1J/USx1oJ3I1bdH/1au2yvwfyL\nk/ViYcBkWQVxsG45oL94KuAVNhEwM88tugN1q+W13jnGM2KIulMu5QQ4GhmB4Odd\nYptwhwukXWFnwm/jidnqvGvyJwyua4WN+EIwC4VMDrpFeWHYDb2ywFHBVqnxWoef\n1UhhL2w+vVDC+IVW4dd50Z4i8PU9xFUeTaKfr7tWujXGlujn57wWvr5r25WURha6\nWNBVZaoj/WSUbdD1c6a150q0GEF3Fd1ofQ1/PJRUgL5+lhdjUgBv1S2Z9/6DK4Fq\ngA8Saeh1tl85PrAbNPkz3lqoXg0HpOBd4pRYXrA4CQKBgQDo8gZocAMJzoX+6Fym\naBJWB97hcMl0YkGDl8tUaZlO0bCxh5BOGh4ZoP5e7avEXu8FbdmxNdIO5ENO80Bk\ntl2eG1S7ajdzgEoNREgUplChza6bEGAltnaloY9kzY2c/FRdqZFRPwpBB68V1n/E\nFusMJlQ09fN8SGj0GD98nCadpwKBgQC4jk+s2HnbvLCxOE852YNLS18Rlm030/ZP\ndyOVzQuHPpOghOHLVA5L10Q5bjVQGzN+bTbgB/403wAyop3oZtjOCE2qbimZxmfs\nqeJSx5OEpfqo95Eg/9WDjXMtWN8WtbYsxqOdzO+aqK1KX3aBUA/VgthBAnfWbZF1\nfNQ4euT0swKBgQDVv39xxZaEISWDSeP6LfTlTEOPydaRHLfQ8DB7PIqYcIEZ5bLc\nd8q26at/n8bFYfchnDLtEN23HG1GvJ6Ry2UL9zhA4K4RJd7NXaJmkFXcosddMiGH\neW5VfXH+pT8UldU0PKxDSP03vr1B5JlIbV8wvtr13dmWaTslADsBNKeacQKBgCpz\nucoVhXpRHge13yt8aCIStUyTYI4d+KNw0UOtBcDXWRfsWQ/vRtaVLsFTI3pIt4CW\nWLARxpycyyvakh4aQjaqXEseyfzwUYlzznaiJ8G0eEMTp1OC5bc7+0lsDuznYX9N\nNeefc2IM+MeJy/WU1/+R+HKDwdMWIwZ2b06Knk3XAoGAOCedCxVJMIR6xGw6NDDI\njWI39WpIzq7FNJGBJbjXgE0EazFClQrEsKkt4Qvi9mIkHFwLo+LbriWs5oe1V4dC\nNSgNPEtPR70LwRhp1Xr8ChMM5ZP75zYcu09O1IKrbiWGN6jJwnJxg3q4WmuB8g3o\nOValBgrKUp3ueYbmlRqLfcs=\n-----END PRIVATE KEY-----\n"
+          KEYCLOAK_TLS_CA_CERT: "-----BEGIN CERTIFICATE-----\nMIIFuzCCA6OgAwIBAgIUURmt+riNqWfiocuy0LuqsWf31FowDQYJKoZIhvcNAQEL\nBQAwbTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1Vua25vd24xEDAOBgNVBAcMB1Vu\na25vd24xEDAOBgNVBAoMB1Vua25vd24xEDAOBgNVBAsMB1Vua25vd24xFjAUBgNV\nBAMMDURldiBUZXN0IFJvb3QwHhcNMjUwOTIwMTkwMjU3WhcNMzUwOTE4MTkwMjU3\nWjBtMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHVW5rbm93bjEQMA4GA1UEBwwHVW5r\nbm93bjEQMA4GA1UECgwHVW5rbm93bjEQMA4GA1UECwwHVW5rbm93bjEWMBQGA1UE\nAwwNRGV2IFRlc3QgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAK4ocjvMSJEnVAv9YVRkW2vsqQPJHTGaFsmVxb+tLfx6bZfX4ZyAlys0fZxVZ7qn\npa6ZCdZHleRrQ9D2sZDHj6N0P3OuitkVJc6WG/YxYTT/DMxiuWFWmStTD5Mji+kd\ngnXgVWiM+C5xXGME/m2rhvxMCqlsWcyPjt9nq+Sz4MD4xGlJ4sR1EAk+V7ATNs1e\nxQwlFoQv7AI0cJjdDFiOK/LBvKjr1LNxcXkygqO25UZYQwfSAhIrcvAKZR1PCIpj\nwoGuYP5LmRX5A/dxLIeTUPenP7RN1of4xoReyItbBdAwwceUrspVhp6UAZpUnwwi\nWy8APqW4wzbsASi7mtIWXOP6HUbbbdIuneObZ0rHrsKf+tUcvFpv+B+FPyzHiybE\np65tTPMIh0UawrvIpA+kqkUhlyPT97nDLCCeUL2zkfdiVdruwoBDF+Ab3h2ZL4ds\nvgo28jP5awRaWmFAhCpU7HGy9ykyKRfxE/v9YgOS3I+tDJW9dINwBCG7LYfmpZIp\nUTsVvQ78umLATMNcYuUA26hcVMd0G5VNRAlg4O/EBGKnwYHz+yTzK4208UyBCBX4\nK3YVBF6CiDhnaIxdPQ6hSWryd8On8uYpTpvfzW329xyXb+7qwwbH4ljEb2JZewUW\nDClH+zG977EN0i5e87NtqoEg7SuEgalBpXgtk/uufbpVAgMBAAGjUzBRMB0GA1Ud\nDgQWBBT459iaWRGzTBIdUHLFon1GSQUyoTAfBgNVHSMEGDAWgBT459iaWRGzTBId\nUHLFon1GSQUyoTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQB9\nIpWnkRqRUddwjbvkzqjbd0ODcljlwUxQv7e10XZ6C5yBCSr9E+RjiP58XmHbWC+O\ngvyN+W6px1XlIYpgE0I7c0qs6AxqKx5GExuVhByGwshIzYa2S7HdTxhAR6R9zaEH\n5NswV6U4La+226STgWlwgFnljQzvjQRGGSWilpDhzW5DW70G/bV+hvjBsgBuOAeN\nOtey1TCVLBGfEVMA6Lh3e2dqhy2qsQ5hiilXNsWhIXIF69XvgyqS15xFJb+T3JXW\n69tUjV0ALb2LeUuz5I13r1tLGJ2BcL92dwcNoiydDfqSd+PchFwxgAiVc+A3vsUB\ncu6sCNBftNOFzfRYErDONmnjOUq37jXMVAzkkwKtNZkEHj5b8eHdoTPqSQ2yeBkF\ni4HRZeetqPnKljP2sPJwg7AjJu3CrykwGsEY6f33XwYMgfuRo2K/t/B4Hpi3CHSg\n57iGulpGm8XlhE+uOiJqvUUZ3gh+yDG7DFWrr2n+bxuTo4t5/5e+VkBWK3NvEKZP\noMFNeilYRWZM5dnSLnxpvNW8rhW1fCriwvlcnXR7qu0ZIwnkxGhAq8VONyip8/vN\n7VvAFTuoksEthvncphYiIZ8zAvWMVQmrApOVfxGCam17OSxcu2zEIfSAzHUc1qBq\n42REECzbhvdcOSxnQCP1hrh5fO+seT5oLt2HBSzbaA==\n-----END CERTIFICATE-----\n"
+          KEYCLOAK_TEST_PASSWORD_GRANT: "true"
+          KEYCLOAK_VERSION: ${{ steps.keycloak-version.outputs.result }}
+
         timeout-minutes: 60
 
       - name: Print container logs
 
@@ -26,6 +26,7 @@ scratch/
 .gradle/
 
 # custom user federation example
+custom-user-federation-example/bin
 custom-user-federation-example/build
 !custom-user-federation-example/build/libs
 
@@ -37,4 +38,14 @@ site/
 
 .DS_Store
 
-test_env.json
+# Custom test_env overrides
+test_env*.json
+
+# Custom provider_installation mappings
+dev.tfrc
+
+# KCADM config folder
+.keycloak/
+
+# Locally started Keycloak data
+kcdata/
@@ -106,6 +106,8 @@ You can spin up a local developer environment via [Docker Compose](https://docs.
 This will spin up a few containers for Keycloak, PostgreSQL, and OpenLDAP, which can be used for testing the provider.
 This environment and its setup via `make local` is not intended for production use.
 
+You can also use `make local-mtls` to start Keycloak with required client authentication via mTLS certificate.
+
 To stop the environment you can use the `make local-stop`. To remove the local environment use `make local-down`.
 
 Note: The setup scripts require the [jq](https://stedolan.github.io/jq/) command line utility.
@@ -128,6 +130,39 @@ KEYCLOAK_URL="http://localhost:8080" \
 make testacc
 ```
 
+#### Test with HTTPS
+You can also run the same tests on Keycloak's https port.
+For this start the env with `make local`. After that run the following command:
+
+```
+KEYCLOAK_CLIENT_ID=terraform \
+KEYCLOAK_CLIENT_SECRET=884e0f95-0f42-4a63-9b1f-94274655669e \
+KEYCLOAK_CLIENT_TIMEOUT=5 \
+KEYCLOAK_REALM=master \
+KEYCLOAK_TEST_PASSWORD_GRANT=true \
+KEYCLOAK_URL="https://localhost:8443" \
+KEYCLOAK_TLS_CA_CERT="$(cat provider/testdata/tls/server-cert.pem)" \
+make testacc
+```
+
+#### Test with HTTPS + mTLS
+You can also run the same tests on Keycloak's https port with the Keycloak Terraform provider authenticating to the server with a mTLS client certificate.
+For this start the env with `make local-mtls`. After that run the following command:
+
+```
+KEYCLOAK_CLIENT_ID=terraform \
+KEYCLOAK_CLIENT_SECRET=884e0f95-0f42-4a63-9b1f-94274655669e \
+KEYCLOAK_CLIENT_TIMEOUT=5 \
+KEYCLOAK_REALM=master \
+KEYCLOAK_TEST_PASSWORD_GRANT=true \
+KEYCLOAK_URL_HTTP="http://localhost:8080" \
+KEYCLOAK_URL="https://localhost:8443" \
+KEYCLOAK_TLS_CLIENT_CERT="$(cat provider/testdata/tls/client-cert.pem)" \
+KEYCLOAK_TLS_CLIENT_KEY="$(cat provider/testdata/tls/client-key.pem)" \
+KEYCLOAK_TLS_CA_CERT="$(cat provider/testdata/tls/server-cert.pem)" \
+make testacc
+```
+
 ### Run examples
 
 You can run examples against a Keycloak instance.
 
@@ -0,0 +1,5 @@
+services:
+  keycloak:
+    environment:
+    - KC_HTTPS_CLIENT_AUTH=required
+    - KC_TRUSTSTORE_PATHS=/opt/keycloak/testdata/tls/ca-cert.pem,/opt/keycloak/testdata/tls/client-cert.pem
@@ -33,14 +33,18 @@ services:
     - KC_FEATURES=preview,admin-fine-grained-authz:v1
     - QUARKUS_HTTP_ACCESS_LOG_ENABLED=true
     - QUARKUS_HTTP_RECORD_REQUEST_START_TIME=true
+    - KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/testdata/tls/server-cert.pem
+    - KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/testdata/tls/server-key.pem
 # Enable for remote java debugging
 #    - DEBUG=true
 #    - DEBUG_PORT=*:8787
+#    - DEBUG_SUSPEND=y
     ports:
     - "8080:8080"
+    - "8443:8443"
 # Enable for remote java debugging
 #    - "8787:8787"
     volumes:
 # Make the custom-user-federation-example extension available to Keycloak. The :z option is required and tells Docker that the volume content will be shared between containers.
     - ./custom-user-federation-example/build/libs/custom-user-federation-example-all.jar:/opt/keycloak/providers/custom-user-federation-example-all.jar:z
-    - ./provider/misc:/opt/keycloak/misc:z
+    - ./provider/testdata:/opt/keycloak/testdata:z
@@ -111,5 +111,7 @@ The following arguments are supported:
 - `client_timeout` - (Optional) Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to the environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or `15` if the environment variable is not specified.
 - `tls_insecure_skip_verify` - (Optional) Allows ignoring insecure certificates when set to `true`. Defaults to `false`. Disabling this security check is dangerous and should only be done in local or test environments.
 - `root_ca_certificate` - (Optional) Allows x509 calls using an unknown CA certificate (for development purposes)
+- `tls_client_certificate` - (Optional) The TLS client certificate in PEM format when the keycloak server is configured with TLS mutual authentication.
+- `tls_client_private_key` - (Optional) The TLS client pkcs1 private key in PEM format when the keycloak server is configured with TLS mutual authentication.
 - `base_path` - (Optional) The base path used for accessing the Keycloak REST API.  Defaults to the environment variable `KEYCLOAK_BASE_PATH`, or an empty string if the environment variable is not specified. Note that users of the legacy distribution of Keycloak will need to set this attribute to `/auth`.
 - `additional_headers` - (Optional) A map of custom HTTP headers to add to each request to the Keycloak API.
@@ -0,0 +1,36 @@
+package helper
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+)
+
+func UpdateEnvFromTestEnvIfPresent() {
+
+	testEnvFile := os.Getenv("TEST_ENV_FILE")
+	if testEnvFile == "" {
+		testEnvFile = "../test_env.json"
+	}
+
+	if _, err := os.Stat(testEnvFile); err == nil {
+		fmt.Printf("Using %s to load environment variables...", testEnvFile)
+		file, err := os.Open(testEnvFile)
+		if err != nil {
+			log.Fatalf("Unable to open env.json: %s", err)
+		}
+		defer file.Close()
+
+		var envVars map[string]string
+		if err := json.NewDecoder(file).Decode(&envVars); err != nil {
+			log.Fatalf("Unable to decode env.json: %s", err)
+		}
+
+		for key, value := range envVars {
+			if err := os.Setenv(key, value); err != nil {
+				log.Fatalf("Unable to set environment variable %s: %s", key, err)
+			}
+		}
+	}
+}
@@ -67,7 +67,7 @@ var redHatSSO7VersionMap = map[int]string{
 	4: "9.0.17",
 }
 
-func NewKeycloakClient(ctx context.Context, url, basePath, adminUrl, clientId, clientSecret, realm, username, password, jwtSigningAlg, jwtSigningKey string, initialLogin bool, clientTimeout int, caCert string, tlsInsecureSkipVerify bool, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) {
+func NewKeycloakClient(ctx context.Context, url, basePath, adminUrl, clientId, clientSecret, realm, username, password, jwtSigningAlg, jwtSigningKey string, initialLogin bool, clientTimeout int, caCert string, tlsInsecureSkipVerify bool, tlsClientCert string, tlsClientPrivateKey string, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) {
 	clientCredentials := &ClientCredentials{
 		ClientId:      clientId,
 		ClientSecret:  clientSecret,
@@ -89,7 +89,7 @@ func NewKeycloakClient(ctx context.Context, url, basePath, adminUrl, clientId, c
 		}
 	}
 
-	httpClient, err := newHttpClient(tlsInsecureSkipVerify, clientTimeout, caCert)
+	httpClient, err := newHttpClient(tlsInsecureSkipVerify, clientTimeout, caCert, tlsClientCert, tlsClientPrivateKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create http client: %v", err)
 	}
@@ -562,7 +562,7 @@ func RetryPolicy(ctx context.Context, resp *http.Response, err error) (bool, err
 	return false, nil
 }
 
-func newHttpClient(tlsInsecureSkipVerify bool, clientTimeout int, caCert string) (*http.Client, error) {
+func newHttpClient(tlsInsecureSkipVerify bool, clientTimeout int, caCert string, tlsClientCert string, tlsClientPrivateKey string) (*http.Client, error) {
 	cookieJar, err := cookiejar.New(&cookiejar.Options{
 		PublicSuffixList: publicsuffix.List,
 	})
@@ -582,6 +582,14 @@ func newHttpClient(tlsInsecureSkipVerify bool, clientTimeout int, caCert string)
 		transport.TLSClientConfig.RootCAs = caCertPool
 	}
 
+	if tlsClientCert != "" && tlsClientPrivateKey != "" {
+		clientKeyPairCert, err := tls.X509KeyPair([]byte(tlsClientCert), []byte(tlsClientPrivateKey))
+		if err != nil {
+			return nil, err
+		}
+		transport.TLSClientConfig.Certificates = []tls.Certificate{clientKeyPairCert}
+	}
+
 	retryClient := retryablehttp.NewClient()
 	retryClient.CheckRetry = RetryPolicy
 	retryClient.RetryMax = 5
@@ -647,3 +655,8 @@ func newSignedJWT(ctx context.Context, url, clientId, alg, jwtSigningKey string)
 
 	return tokenString, nil
 }
+
+// Expose the underlying http client for tests
+func (kc *KeycloakClient) GetHttpClient() *http.Client {
+	return kc.httpClient
+}