Authentication with client certificat with Keycloak

[lynchmaniac]

Describe the question

First of all, thank you very much for this great project that works extremely well ❤️ I have been testing it intensively for several weeks now 🚀

The connection via Keycloak with a user of a realm works perfectly, coupled with RBAC, I can give the rights that suit me.
I would like to add a layer of security by requiring users to have a client certificate to authenticate in addition to the identifier and password.

In the documentation, a priori it is not possible to pass a client certificate to Keycloak to authenticate, even through the oidc-auth-request-extra-params parameter I have not found how to do it.

So my question is simple, is it possible for kubelogin to provide, during its request to Keycloak, a client certificate that will be part of the authentication?

To reproduce

Configure Keycloak to have X509 authentification:

• Added the X509_CA_BUNDLE environment variable in the container. This variable points to the CA used for the client certificate
• Create an X509 realm
• Configure all requests in HTTPS
• Copy the Browser flow to "X509 Browser"
• Modify the "X509 Browser" flow
• Delete unwanted steps (Kerberos, identity Providers...)
• Add X509 Validate Username Form
• Configure X509 Validate Username Form (alternative, identity source email, mapping method username or email)
• Modify the binding
• Create a user with or without credential (it didn't work for both)

My Kubeconfig:

• name: tony
  user:
  exec:
  apiVersion: client.authentication.k8s.io/v1beta1
  args:
  - oidc-login
  - get-token
  - --oidc-issuer-url=https://keycloak.test/realms/x509
  - --oidc-client-id=test
  - --username=tonystark
  - --token-cache-dir=~/.kube/cache/oidc-login/tony@kind-poc-newyear
  command: kubectl
  env: null
  interactiveMode: IfAvailable
  provideClusterInfo: false

Your environment

• OS: Debian (under WSL)
• kubelogin version: e.g. v1.31.0
• kubectl version: e.g. v1.31.1
• OpenID Connect provider: Keycloak