Add X509 TLS client authentication (#10)

Co-authored-by: lucdew <[email protected]>

Author: lucdew

docs/index.md

@@ -87,7 +87,8 @@ The following arguments are supported:
 - `client_timeout` - (Optional) Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to the environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or `15` if the environment variable is not specified.
 - `tls_insecure_skip_verify` - (Optional) Allows ignoring insecure certificates when set to `true`. Defaults to `false`. Disabling this security check is dangerous and should only be done in local or test environments.
 - `root_ca_certificate` - (Optional) Allows x509 calls using an unknown CA certificate (for development purposes)
--   `tls_client_certificate` - (Optional) The TLS client certificate in PEM format when the keycloak server is configured with TLS mutual authentication.
+-   `tls_client_certificate` - (Optional) The TLS client certificate in PEM format when the Keycloak server is configured with TLS mutual authentication.
+-   `tls_client_auth` - (Optional) When true, also uses the TLS client certificate for Keycloak X509 authentication.
 -   `tls_client_private_key` - (Optional) The TLS client pkcs1 private key in PEM format when the keycloak server is configured with TLS mutual authentication.
 - `base_path` - (Optional) The base path used for accessing the Keycloak REST API.  Defaults to the environment variable `KEYCLOAK_BASE_PATH`, or an empty string if the environment variable is not specified. Note that users of the legacy distribution of Keycloak will need to set this attribute to `/auth`.
 - `additional_headers` - (Optional) A map of custom HTTP headers to add to each request to the Keycloak API.

keycloak/keycloak_client.go

@@ -36,6 +36,7 @@ type KeycloakClient struct {
 	additionalHeaders map[string]string
 	debug             bool
 	redHatSSO         bool
+	tlsClientAuth     bool
 }
 
 type ClientCredentials struct {
@@ -61,7 +62,7 @@ var redHatSSO7VersionMap = map[int]string{
 	4: "9.0.17",
 }
 
-func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecret, realm, username, password string, initialLogin bool, clientTimeout int, caCert string, tlsClientCert string, tlsClientPrivateKey string, tlsInsecureSkipVerify bool, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) {
+func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecret, realm, username, password string, initialLogin bool, clientTimeout int, caCert string, tlsClientCert string, tlsClientAuth bool, tlsClientPrivateKey string, tlsInsecureSkipVerify bool, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) {
 	clientCredentials := &ClientCredentials{
 		ClientId:     clientId,
 		ClientSecret: clientSecret,
@@ -72,6 +73,8 @@ func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecre
 		clientCredentials.GrantType = "password"
 	} else if clientSecret != "" {
 		clientCredentials.GrantType = "client_credentials"
+	} else if tlsClientAuth {
+		clientCredentials.GrantType = "client_credentials"
 	} else {
 		if initialLogin {
 			return nil, fmt.Errorf("must specify client id, username and password for password grant, or client id and secret for client credentials grant")
@@ -94,6 +97,7 @@ func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecre
 		userAgent:         userAgent,
 		redHatSSO:         redHatSSO,
 		additionalHeaders: additionalHeaders,
+		tlsClientAuth:     tlsClientAuth,
 	}
 
 	if keycloakClient.initialLogin {
@@ -271,10 +275,14 @@ func (keycloakClient *KeycloakClient) getAuthenticationFormData() url.Values {
 			authenticationFormData.Set("client_secret", keycloakClient.clientCredentials.ClientSecret)
 		}
 
-	} else if keycloakClient.clientCredentials.GrantType == "client_credentials" {
+	} else if keycloakClient.clientCredentials.GrantType == "client_credentials" && keycloakClient.clientCredentials.ClientSecret != "" {
 		authenticationFormData.Set("client_secret", keycloakClient.clientCredentials.ClientSecret)
 	}
 
+	if keycloakClient.tlsClientAuth {
+		authenticationFormData.Set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:tls_client_auth")
+	}
+
 	return authenticationFormData
 }
 

keycloak/keycloak_client_test.go

@@ -49,7 +49,7 @@ func TestAccKeycloakApiClientRefresh(t *testing.T) {
 		t.Fatal("KEYCLOAK_CLIENT_TIMEOUT must be an integer")
 	}
 
-	keycloakClient, err := NewKeycloakClient(ctx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), true, clientTimeout, "", "", "", false, "", false, map[string]string{
+	keycloakClient, err := NewKeycloakClient(ctx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), true, clientTimeout, "", "", false, "", false, "", false, map[string]string{
 		"foo": "bar",
 	})
 	if err != nil {

provider/provider.go

@@ -180,6 +180,12 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 				Description: "Allows ignoring insecure certificates when set to true. Defaults to false. Disabling security check is dangerous and should be avoided.",
 				Default:     false,
 			},
+			"tls_client_auth": {
+				Optional:    true,
+				Type:        schema.TypeString,
+				Description: "When true, uses also the TLS client certificate for authentication in Keycloak",
+				Default:     "",
+			},
 			"tls_client_certificate": {
 				Optional:    true,
 				Type:        schema.TypeString,
@@ -229,6 +235,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 		clientTimeout := data.Get("client_timeout").(int)
 		tlsInsecureSkipVerify := data.Get("tls_insecure_skip_verify").(bool)
 		tlsClientCertificate := data.Get("tls_client_certificate").(string)
+		tlsClientAuth := data.Get("tls_client_auth").(bool)
 		tlsClientPrivateKey := data.Get("tls_client_private_key").(string)
 		rootCaCertificate := data.Get("root_ca_certificate").(string)
 		redHatSSO := data.Get("red_hat_sso").(bool)
@@ -241,7 +248,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 
 		userAgent := fmt.Sprintf("HashiCorp Terraform/%s (+https://www.terraform.io) Terraform Plugin SDK/%s", provider.TerraformVersion, meta.SDKVersionString())
 
-		keycloakClient, err := keycloak.NewKeycloakClient(ctx, url, basePath, clientId, clientSecret, realm, username, password, initialLogin, clientTimeout, rootCaCertificate, tlsClientCertificate, tlsClientPrivateKey, tlsInsecureSkipVerify, userAgent, redHatSSO, additionalHeaders)
+		keycloakClient, err := keycloak.NewKeycloakClient(ctx, url, basePath, clientId, clientSecret, realm, username, password, initialLogin, clientTimeout, rootCaCertificate, tlsClientCertificate, tlsClientAuth, tlsClientPrivateKey, tlsInsecureSkipVerify, userAgent, redHatSSO, additionalHeaders)
 		if err != nil {
 			diags = append(diags, diag.Diagnostic{
 				Severity: diag.Error,

provider/provider_test.go

@@ -60,7 +60,7 @@ func init() {
 		}
 	}
 
-	keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", true, 5, "", "", "", false, userAgent, false, map[string]string{
+	keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", true, 5, "", "", false, "", false, userAgent, false, map[string]string{
 		"foo": "bar",
 	})
 	if err != nil {