Add support for forwarding the client certificate chain either as part of XFCC header or as an additional header.
Description:
We use Keycloak to perform authentication and terminate SSL connections via a reverse proxy. In this configuration Keycloak requires forwarding of both the client certificate and the full certificate chain. These options are supported by both HAProxy and Apache, but not by Envoy currently.
Including this as part of the XFCC header or as an additional header(s) would enable Envoy to be used in this configuration (without that support you are required to load the certificate chain into Keycloak directly, which isn't possible unless you know in advance what that chain will be).
For more details on the Keycloak requirements see -- https://www.keycloak.org/docs/latest/server_admin/index.html#client-certificate-lookup).
FYI -- I originally asked this question on the Google group and was directed to open an issue here -- https://groups.google.com/forum/#!topic/envoy-users/bYVQrXt1Phs.
Add support for forwarding the client certificate chain either as part of XFCC header or as an additional header.
Description:
We use Keycloak to perform authentication and terminate SSL connections via a reverse proxy. In this configuration Keycloak requires forwarding of both the client certificate and the full certificate chain. These options are supported by both HAProxy and Apache, but not by Envoy currently.
Including this as part of the XFCC header or as an additional header(s) would enable Envoy to be used in this configuration (without that support you are required to load the certificate chain into Keycloak directly, which isn't possible unless you know in advance what that chain will be).
For more details on the Keycloak requirements see -- https://www.keycloak.org/docs/latest/server_admin/index.html#client-certificate-lookup).
FYI -- I originally asked this question on the Google group and was directed to open an issue here -- https://groups.google.com/forum/#!topic/envoy-users/bYVQrXt1Phs.