Tag Archives: Authentik

Harden Access Gateways with Geofencing – A Practical Guide for Enhanced Perimeter Security

Posted on by

In today’s distributed world the perimeter of an organization is no longer a single firewall at the edge of a data center. Users, services and devices connect from any location, over public clouds, through orchestrated container networks and via remote VPNs. This shift has driven security teams to adopt Zero Trust, a model that validates not only who you are but also where your device is located and what network it uses before granting access to critical resources.

One of the most effective ways to add an additional layer of verification is geofencing – the practice of allowing or denying traffic based on its geographic or network attributes such as country, city, or Autonomous System Number (ASN). When combined with strong device authentication (for example Device Trust certificates) geofencing can dramatically reduce the attack surface of your Device Trust access gateways.

This post explains how to harden access gateways with geofencing using Nginx and the ngx_http_geoip2_module. We will walk through obtaining free GeoIP data from MaxMind, configuring Nginx as a reverse proxy that blocks traffic by ASN, integrating geofence policies into modern identity providers like Authentik, and visualizing a example secure access flow. The examples are designed for Linux environments but can be adapted to any container or cloud platform.

Why Device Trust Matters in Modern Cloud Environments

  • Devices now connect from home offices, coffee shops, mobile networks and public clouds.
  • Attackers often use compromised devices or rented cloud instances that appear legitimate.
  • Traditional username/password/MFA checks do not verify the legitimacy of the device itself.
  • Adding a location check/monitoring makes it much harder for an adversary to reuse stolen credentials from an unexpected region.

When you combine device certificates, modern identity federation, and geofencing, you create a zero trust style gateway that only accepts traffic that meets all three criteria:

  1. Valid client certificate issued by your private Device Trust CA.
  2. Successful authentication with your Identity Provider (IdP).
  3. Source IP (or X-Forward-For) belongs to an expected country, city or ASN.

If any of these checks fail, the request is dropped before it reaches downstream services.

The Role of Geofencing in Hardening Access Gateways

Geofencing works by mapping an incoming IP address to a set of attributes – usually:

  • Country code (ISO‑3166 two‑letter format).
  • City name, coordinates and accuracy radius.
  • Autonomous System Number (ASN) which identifies the ISP or network owner.

These mappings are provided by public databases such as MaxMind’s GeoLite2. Because the data is freely available, you can implement geofencing without paying for a commercial service. The key steps are:

  1. Download and regularly update the GeoIP database.
  2. Load the database into your reverse proxy (Nginx in this example).
  3. Define rules that allow or deny traffic based on the mapped attributes.
  4. (Optional) Combine those rules with device certificate validation and IdP User attributes .

Getting Started with GeoIP Data Sources

MaxMind offers three primary free databases:

  • GeoLite2‑Country – maps IP to country code.
  • GeoLite2‑ASN – maps IP to ASN number and organization name.
  • GeoLite2-City– maps IP to City name as well as latitude, longitude, and accuracy radius.

Note: There are other free and paid providers of MaxMind (.mmdb) geolocation databases, which also should integrate into the same tooling without issue. Some great options are ipinfo lite, iplocate free, and ip2location lite.

You can obtain them by creating a free MaxMind account, accepting the license, and downloading the .mmdb files. To keep the data fresh you should schedule regular updates (MaxMind releases new versions weekly). The open source tool geoipupdate automates this process:

# Install geoipupdate on Debian/Ubuntu
apt-get update
apt-get install -y geoipupdate

# Create /etc/GeoIP.conf with your account details
cat <<EOF | sudo tee /etc/GeoIP.conf
AccountID YOUR_ACCOUNT_ID
LicenseKey YOUR_LICENSE_KEY
EditionIDs GeoLite2-Country GeoLite2-City GeoLite2-ASN
EOF

# Run the update immediately and enable a daily cron job
sudo geoipupdate

The resulting files are typically stored in /var/lib/GeoIP/ as GeoLite2-Country.mmdb and GeoLite2-ASN.mmdb. Adjust the paths in your Nginx configuration accordingly.

Installing and Configuring ngx_http_geoip2_module

The ngx_http_geoip2_module is a third‑party module that provides fast lookups of GeoIP data inside Nginx. It works with both the open source and commercial versions of Nginx, but for most Linux distributions you will need to compile it as a dynamic module.

#Install Build Prerequisites
apt-get install -y build-essential libpcre3-dev zlib1g-dev libssl-dev libmaxminddb-dev  nginx wget git vim

#Download Nginx Source and the GeoIP2 Module
NGINX_VERSION=$(nginx -v 2>&1 | cut -d'/' -f2| cut -d' ' -f1)
wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
tar xzf nginx-${NGINX_VERSION}.tar.gz
git clone https://github.com/leev/ngx_http_geoip2_module.git

#Compile the Module as a Dynamic Loadable Object
cd nginx-${NGINX_VERSION}
./configure --with-compat --add-dynamic-module=../ngx_http_geoip2_module
make modules
cp objs/ngx_http_geoip2_module.so /usr/share/nginx/modules/
echo "load_module modules/ngx_http_geoip2_module.so;" > /etc/nginx/modules-available/mod-http-geoip2.conf
ln -s /etc/nginx/modules-available/mod-http-geoip2.conf /etc/nginx/modules-enabled/60-mod-http-geoip2.conf


#Enable and configure the Module by adding the following to the http section
vim /etc/nginx/nginx.conf

'''
geoip2 /var/lib/GeoIP/GeoLite2-Country.mmdb {
    auto_reload 60m;
    $geoip2_metadata_country_build metadata build_epoch;
    $geoip2_country_code country iso_code;
    $geoip2_country_name country names en;
}

geoip2 /var/lib/GeoIP/GeoLite2-City.mmdb {
    auto_reload 60m;
    $geoip2_metadata_city_build metadata build_epoch;
    $geoip2_city_name city names en;
}

fastcgi_param COUNTRY_CODE $geoip2_country_code;
fastcgi_param COUNTRY_NAME $geoip2_country_name;
fastcgi_param CITY_NAME    $geoip2_city_name;
'''

Now you can use the GeoIP2 country or city variables or create custom directives inside your server blocks.

Blocking Traffic by Country with Nginx GeoIP2

A simple config that only allows traffic from the United States and Canada might look like this:

http {

    map $geoip2_country_code $allowed_country {
        default no;
        US      yes;
        CA      yes;
    }

    server {
        listen 443 ssl;
        server_name gateway.example.com;

        # TLS configuration omitted for brevity

        if ($allowed_country = no) {
            return 403;
        }

        location / {
            proxy_pass http://backend;
        }
    }
}

This configuration uses the $geoip2_country_code variable loaded from the geoip2 via the main nginx config. The map block creates a boolean variable $allowed_country that is later used in an if statement to reject disallowed traffic with HTTP 403.

ASN Based Geofence on an Nginx Reverse Proxy

Blocking by ASN provides finer granularity than country alone, especially when you want to restrict access to corporate ISP ranges or known cloud providers. Below is a more advanced configuration that:

  • Allows only devices originating from your corporate ASN (e.g., AS12345) or a trusted cloud provider (AS67890).
  • Requires a valid client certificate signed by your internal CA.
  • Sends the authenticated request to an internal API gateway.
http {
    # Load both country and ASN databases
    geoip2 /var/lib/GeoIP/GeoLite2-ASN.mmdb {
        auto_reload 5m;
        $geoip2_asn_number asn asn;
        $geoip2_asn_org asn organization;
    }

    # Define the list of permitted ASNs
    map $geoip2_asn_number $asn_allowed {
        default          no;
        12345            yes;   # Corporate ISP
        67890            yes;   # Trusted Cloud Provider
    }

    server {
        listen 443 ssl;
        server_name api-gateway.example.com;

        # TLS configuration (certificate, key) omitted for brevity

        # Enforce mutual TLS – reject if no cert or invalid cert
        ssl_verify_client on;
        ssl_client_certificate /etc/nginx/certs/ca.crt; # Your CA Chain

        # If client certificate verification fails, Nginx returns 400 automatically.
        # Add an explicit check for ASN after TLS handshake:
        if ($asn_allowed = no) {
            return 403;
        }

        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Client-Cert $ssl_client_cert;
            proxy_set_header X-Client-DN  $ssl_client_s_dn
            proxy_pass http://internal-app;
        }
    }
}

Explanation of key parts

  • $geoip2_asn_number is populated by the GeoIP2 lookup; the map block translates the ASN into a simple yes/no flag.
  • The if ($asn_allowed = no) clause blocks any request that does not originate from an allowed ASN, even if the client certificate is valid.

You can extend this pattern to include city-level checks ($geoip2_city_name) or combine multiple criteria with logical operators.

Integrating GeoIP Policy with Authentik IDP

Authentik is a modern open source identity provider that supports OIDC, SAML and LDAP. It can enforce additional policies during the authentication flow, such as requiring a specific claim that matches your geofence rules.

Enable the GeoIP Policy within Authentik

Since Authentik version 2022.12 GeoIP is baked in and only requires mmdb files provided during startup for policies to be enabled.

  • Upload the same GeoLite2-City.mmdb & GeoLite2-ASN.mmdb files used for Nginx.
  • Provide the GeoIP (city mmdb) and ASN (ASN mmdb) file paths as env variables during startup
  • Setup schedule to update the files or configure geoipupdate plugin/container with your license key.

Now every authentication request will have an ASN value attached, which can be referenced in policies.

Create a GeoIP Polices in Authentik

In the Authentik admin UI:

  1. Navigate to Customizations → Policies.
  2. Add a new GeoIP Policy named “GeoIP Default”.
  3. Configure the default Distance and Static settings based on your needs

Distance Settings:

  • Maximum distance – The maximum distance allowed in Kilometers between logins
  • Distance tolerance – The allowable difference to account for data accuracy
  • Historical Login Count – The number of past logins to account for when evaluating
  • Check impossible travel – Whether to check logins/sessions for impossible travel >1k

Static Settings

  • Allowed ASNs – Comma separated list of all of the ASNs allowed to for the given policy
  • Allowed Countries – List of countries the policy allows connections from

(Optional) Create a Custom Policy in Authentik

In the Authentik admin UI:

  1. Navigate to Customizations → Policies.
  2. Add a new Expression Policy named “GeoIP ASN Allowlist”.
  3. Use the following Jinja2 expression (replace the ASNs with your allowed values):
{% set allowed_asns = [12345, 67890] %}
{{ context["asn"]["asn"] in allowed_asns and context["geoip"]["continent"] == "NA" }}

The context[“asn”] attribute is automatically populated by Authentik when the GeoIP ASN database and context[“geoip”] is provided by GeoIP City database. Both are used in conjunction here to required connections from an approved ASN network and from North America.

Attach the Policy to Your OIDC Application

  1. Open Applications → Your API Gateway.
  2. Under Policy Binding, add the “GeoIP Default” policy.
  3. (Optional) Under Policy Binding, add the “GeoIP ASN Allowlist” policy.
  4. Save changes.

When a user authenticates via Authentik, the flow will evaluate the policy. If the source IP belongs to an unauthorized ASN, authentication fails and no token is issued. This adds a second line of defense: even if an attacker obtains valid client certificates, they cannot get a JWT unless they connected from an allowed network.

Enforce Token Claims at Nginx

You can configure Nginx to validate the JWT issued by Authentik and also verify that it contains the expected ip_asn claim. The ngx_http_auth_jwt_module (available in the open source version) can be used:

http {
    # Load GeoIP2 as before

    server {
        listen 443 ssl;
        server_name api-gateway.example.com;

        # TLS settings omitted

        auth_jwt "Protected API";
        auth_jwt_key_file /etc/nginx/jwt-public.key;   # Authentik public key
        auth_jwt_claim_set $jwt_asn ip_asn;

        # Reject if JWT claim does not match allowed ASN list
        map $jwt_asn $jwt_asn_allowed {
            default no;
            12345   yes;
            67890   yes;
        }

        if ($jwt_asn_allowed = no) {
            return 403;
        }

        location / {
            proxy_pass http://internal-api;
        }
    }
}

The flow now looks like this:

  1. TLS handshake verifies client certificate.
  2. Nginx extracts the source IP and performs GeoIP ASN lookup.
  3. The request is redirected to Authentik for OIDC authentication.
  4. Authentik checks the “GeoIP ASN Allowlist” policy; if it passes, a JWT containing ip_asn is returned.
  5. Nginx validates the JWT and ensures the claim matches the allowed list before proxying to the backend.

This combination of device trust certificates, geofence enforcement and IdP policies creates a robust zero‑trust perimeter around your sensitive services.

Best Practices for Maintaining Geofencing Rules

  • Regularly update GeoIP databases – use geoipupdate with cron or systemd timers.
  • Keep an audit log of denied requests – configure Nginx error logs to capture $remote_addr, $geo_country_code, $geo_asn_number and the reason for denial.
  • Use a allowlist rather than a blocklist – allow only known good ASNs/countries; attackers can easily spoof or route through VPNs that belong to allowed regions.
  • Combine with rate limiting – even legitimate IP ranges may be abused; use limit_req_zone and limit_conn_zone.
  • Test changes in a staging environment – a mis‑configured ASN map could lock out all users out of an application, including administrators.
  • Monitor for anomalies – sudden spikes of traffic from an unexpected ASN can indicate compromised credentials.

Access Flow Diagram

Below is flowchart that visualizes the hardened access methodology. Only devices presenting a valid client Device Trust certificate and originating from an allowed location/ASN are permitted to obtain an authentication token and reach the protected service.

harden access gateways with geofencing

The diagram highlights three independent checks:

  • TLS client certificate – ensures the device holds a trusted private key.
  • GeoIP ASN validation at Nginx – blocks traffic from unknown networks before any authentication attempt.
  • Authentik policy enforcement and JWT claim verification – guarantees that the token itself reflects an allowed source network and travel distance is within tolerance.

Only when all three conditions succeed does the request reach the backend service.

Monitoring and Auditing Geofence Enforcement

A hardened gateway is only as good as its visibility. Implementing robust logging and alerting helps you detect misconfigurations or active attacks.

Nginx Log Format Extension

Add a custom log format that captures GeoIP variables:

http {
    log_format geo_combined '$remote_addr - $remote_user [$time_local] '
                            '"$request" $status $body_bytes_sent '
                            '"$http_referer" "$http_user_agent" '
                            'asn=$geoip2_asn_number country=$geoip2_country_code';

    access_log /var/log/nginx/access_geo.log geo_combined;
}

Centralized Log Collection

  • Ship logs to Elasticsearch, Splunk or Loki.
  • Create dashboards that filter on status=403 and group by $geoip2_asn_number.
  • Set alerts for spikes in denied traffic from a single ASN.

Scaling Geofence Enforcement Across Multiple Gateways

In large environments you may have dozens of ingress controllers. To keep policies consistent:

  • Store the allowed ASN list in a central source (e.g., Consul KV, etcd, or a ConfigMap).
  • Use a templating engine like envsubst or Helm to generate Nginx configs on each node.
  • Automate database updates with a CI/CD pipeline that pulls the latest MaxMind files and pushes them to all pods.

By treating the geofence policy as code you can version it, review changes via pull requests, and roll back quickly if an error blocks legitimate traffic.

Conclusion

Geofencing is a powerful yet straightforward technique for hardening access gateways with geofencing. By leveraging free GeoIP data from MaxMind, the ngx_http_geoip2_module in Nginx, and modern identity providers such as Authentik, you can enforce policies that require:

  • A trusted device certificate.
  • An allowed source network identified by ASN.
  • Successful authentication with a policy‑aware IdP.

The layered approach dramatically reduces the attack surface for privileged services, makes credential theft less useful, and gives security teams clear visibility into who is trying to connect from where. Combined with automated updates, logging, and containerized deployment, geofence enforcement can scale across hybrid cloud environments without adding significant operational overhead.

Start by downloading the GeoLite2 databases, compile the GeoIP2 module for your Nginx instances, define a allowlist of ASNs that correspond to your corporate trust network and approved cloud providers, and integrate the policy into your IdP. From there monitor the logs, tune the allowlist as your network evolves, and you’ll have a robust zero‑trust perimeter protecting your most sensitive workloads.

Remember: Device trust plus geofencing equals stronger security – and with the tools described in this post you can implement it today on Linux, cloud, and container platforms.

Enforcing Device Trust with Certificate‑Based Client Authentication – A Practical Guide for Modern Identity Providers

Posted on by

Introduction

In today’s zero‑trust world, granting access solely based on a user’s password or even an OTP is no longer sufficient. Threat actors are increasingly targeting compromised credentials, and the security community has responded with identity provider empowered device trust, a model that ensures only verified devices can obtain tokens from an identity provider (IdP).

When you combine device trust with TLS client‑certificate authentication, you create a powerful barrier: before any session token is issued for a sensitive application or service, the IdP validates a device‑bound certificate presented by the client. This approach works equally well for on‑premises workloads, cloud native services, and containerized applications.

In this post we’ll walk through how to configure popular IdPs like Keycloak, Authentik, Okta, OneLogin, and Auth0 to require Certificate ClientAuth using device trust certificates. We’ll also discuss best‑practice considerations for certificate issuance, rotation, and revocation.

Why Certificate‑Based Device Trust?

BenefitExplanation
Strong mutual TLS (mTLS)The client proves possession of a private key bound to a trusted device, eliminating credential stuffing attacks.
Device bindingCertificates are issued per device (or per container/compute) and can be tied to hardware TPMs or secure enclaves, making them hard to steal.
Zero‑trust enforcementEven if a user’s password is compromised, an attacker cannot obtain a token without the correct device certificate.
Fine‑grained policy controlIdPs can apply separate authentication policies based on certificate attributes (e.g., OU=Mobile, OU=Workstation).
Auditable provenanceEvery successful login includes the certificate fingerprint, simplifying forensic investigations.

Device Trust Certificate Lifecycle

  1. Enrollment – During first‑boot or via automated provisioning, the device presents its hardware-bound public certificate to an enrollment endpoint (often part of the IdP or Third-party service like ACME Attestation service).
  2. Provisioning – A trusted CA (internal PKI or managed service) issues a short‑lived X.509 certificate to each device. The private key is bound by the vTPM, HSM, or container runtime.
  3. Authentication – When a user attempts to access a protected app, the client initiates TLS with client‑certificate request. The presented certificate is validated against Device Trust certificate chain.
  4. Renewal / Rotation – Before expiry (typically 30–90 days), the device automatically requests a new cert via the provisioner. Old certificates are revoked or marked as expired in the CRL database.

Identify Provider Empowered Device Trust Authentication Flow

identity provider empowered with device trust Session flow diagram

The diagram illustrates that no token is ever issued unless the device presents a valid certificate that matches the IdP’s trusted CA list. This is the essence of an identity provider empowered device trust.

Preparing Your PKI

All IdPs discussed support the use of external CA integration. The steps are similar across platforms:

  1. Create a dedicated CA hierarchy – Root CA (offline) → Intermediate “Device‑Trust” CA (online).
  2. Define certificate profile – Include extensions such as subjectAltName for device ID, extendedKeyUsage = clientAuth, and optionally certificatePolicies to tag the trust domain.
  3. Deploy an automated provisioning service – For example, cert‑manager in Kubernetes, ACME with device attestation, or a simple SCEP service.

Note: Alternatively you can use smallstep step-ca as outlined in my practical cloud-native guide.

Sample OpenSSL config for the Device‑Trust CA:

[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
C  = US
ST = WA
L  = Seattle
O  = AcmeCorp
OU = DeviceTrustCA
CN = device-trust.acme.local

[ v3_intermediate_ca ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer

Use this to generate the intermediate CA and then sign device CSRs with -extensions client_auth:

openssl req -new -nodes -newkey rsa:2048 \
  -keyout device.key -out device.csr \
  -subj "/C=US/ST=WA/L=Seattle/O=AcmeCorp/OU=Workstation/CN=device01"

openssl ca -config openssl.cnf -extensions client_auth \
  -days 30 -notext -md sha256 \
  -in device.csr -out device.crt

Configuring Identity Providers

Below we present the minimal configuration needed to enable Certificate ClientAuth for each IdP. The examples assume you already have a running instance of the IdP and that your PKI’s intermediate certificate is available as device-trust-ca.pem.

Keycloak

Keycloak provides TLS client‑certificate authentication via the X509 Authentication flow.

# keycloak-realm.yaml – add a new authentication flow called "DeviceTrust"
realm: myrealm
authenticationFlows:
  - alias: DeviceTrust
    providerId: basic-flow
    topLevel: true
    builtIn: false
    authenticationExecutions:
      - authenticator: x509-browser-authenticator
        requirement: REQUIRED
        priority: 10
        config:
          # Truststore containing device‑trust CA
          trustStoreFile: /opt/keycloak/conf/device-trust-ca.p12
          trustStorePassword: changeit
          # Map certificate subject DN to user attribute "deviceId"
          principalAttribute: cn
      - authenticator: auth-cookie
        requirement: REQUIRED
        priority: 20
  1. Upload the CA – Convert device-trust-ca.pem into a PKCS‑12 keystore (keytool -importcert).
  2. Create the flow via the Admin Console or import the YAML above.
  3. Set the flow as default for the desired client (application) under Authentication → Flows.

Now, any request to /auth/realms/myrealm/protocol/openid-connect/auth will trigger a TLS handshake that expects a device‑trust certificate.

For More information about Keycloak clientAuth review the x509 documentation.

Authentik

Authentik’s Certificate provider can be combined with the Device stage.

# authentik.yaml – DeviceTrustProvider definition
providers:
  - name: device-trust-mtls
    kind: cert
    config:
      ca_file: /etc/authentik/certs/device-trust-ca.pem
      allowed_usages:
        - clientAuth
      map_subject_to_user_attribute: "device_id"
stages:
  - name: DeviceTrustStage
    kind: authentication
    flow: default-authentication-flow
    providers:
      - device-trust-mtls
  1. Place device-trust-ca.pem under /etc/authentik/certs.
  2. Restart Authentik; the stage will now reject any TLS handshake lacking a valid client cert.

For more information about configuring Authentik authentication review the stag flow documentation.

Okta

Okta’s Certificate Authentication is configured via API Access Management.

{
  "type": "CERTIFICATE",
  "name": "DeviceTrustPolicy",
  "settings": {
    "trustedCertificates": [
      { "x5c": ["MIID..."] }   // Base64‑encoded device‑trust CA cert
    ],
    "subjectMatchPattern": "CN=*.device.acme.com"
  }
}

Steps:

  1. In the Okta Admin Console, navigate to Security → Authenticators → Certificate and add a new authenticator with the above JSON.
  2. Attach this authenticator to an Authentication Policy that protects your sensitive app (e.g., “Sensitive‑App‑Policy”).

Okta will now enforce mTLS for any request hitting the OIDC /authorize endpoint of that app.

For more information on configuring certificate-based authentication for Okta review the official docs.

OneLogin

OneLogin supports X.509 certificate authentication through its MFA configuration.

<!-- one-login-mfa-config.xml -->
<CertificateAuthenticator>
    <TrustedCA>$CA_Chain_URL</TrustedCA>
    <SubjectRegex>CN=([a-z0-9\-]+)</SubjectRegex>
    <MapToUserAttribute>device_id</MapToUserAttribute>
</CertificateAuthenticator>

Upload the XML via Settings → Security → Multifactor Authentication → Certificate. Then enable this factor for the Security Policy that guards your high‑value applications.

For more information about how Onelogin handles third-party certificate authentication to validate a trusted device, review the official documentation.

Auth0

Auth0 uses Custom Database Connections with a pre‑login hook to verify client certificates.

// auth0-pre-login.js – Deploy as an Action (Pre‑Login)
exports.onExecutePostLogin = async (event, api) => {
  const certHeader = event.request.headers['x-client-cert'];
  if (!certHeader) {
    return api.access.deny('client_certificate_missing');
  }

  // Decode PEM and verify against trusted CA
  const forge = require('node-forge');
  const pki = forge.pki;
  const caPem = `-----BEGIN CERTIFICATE-----
MIID...
-----END CERTIFICATE-----`;
  const caCert = pki.certificateFromPem(caPem);
  const clientCert = pki.certificateFromPem(certHeader);

  // Basic chain validation
  const verified = pki.verifyCertificateChain(pki.createCaStore([caCert]), [clientCert]);
  if (!verified) {
    return api.access.deny('invalid_device_certificate');
  }

  // Optional: map CN to user metadata
  const deviceId = clientCert.subject.getField('CN').value;
  event.user.app_metadata = { ...event.user.app_metadata, device_id: deviceId };
};

Deploy this Action and enable TLS termination with client‑certificate forwarding on your reverse proxy (e.g., Nginx proxy_set_header X-Client-Cert $ssl_client_cert;). Auth0 will reject any login that lacks a valid device‑trust certificate.

For more information about how to use Auth0’s mTLS authentication flow to validate device trust certificates, review their official mTLS docs.

Note: For services that may not directly support your Identity provider or may not be exposed externally, you can utilize a simple nginx proxy to validate a device trust certificate before allowing users to login.

Best Practices for Production Deployments

AreaRecommendation
Certificate LifetimeUse short lifetimes (30 days) and automate renewal via a provisioner like ACME or SCEP
Key ProtectionStore private keys in credential manager, KMS, Key Vault, or secrets store. Never write them to disk unencrypted.
RevocationPublish CRLs or use OCSP stapling; IdPs should query the revocation endpoint on each login.
Logging & AuditingInclude tls.client.subject_dn and certificate fingerprint in SIEM logs. Enable audit‑log retention for at least 90 days.
Fail‑Open vs Fail‑CloseDefault to fail‑close: if the client cert cannot be validated, deny access.
Device InventoryKeep a synchronized inventory service (e.g., CMDB) that tracks active device fingerprints; automate de‑provisioning when devices leave the fleet.

Testing & Validation

  1. OpenSSL verification – From a client machine with the device cert:
   openssl s_client -connect idp.acme.local:443 \
     -cert device.crt -key device.key -CAfile device-trust-ca.pem

You should see Verify return code: 0 (ok) and the TLS handshake succeed.

  1. Token request – Use curl with the client cert:
   curl -k https://idp.acme.local/auth/realms/myrealm/protocol/openid-connect/token \
     -E device.crt --key device.key \
     -d "grant_type=client_credentials&client_id=myapp"

If the certificate is invalid or missing, the response will be 401 Unauthorized.

  1. Audit log check – In Keycloak’s admin console go to Events → Config and enable Login events. Verify that each successful login entry contains client_certificate_fingerprint.

Common Pitfalls & How to Avoid Them

SymptomRoot CauseFix
Handshake fails with “unknown ca”Device‑trust CA not added to truststore or wrong file format (PEM vs PKCS12)Convert to PKCS12 and import correctly.
Token issued despite missing certReverse proxy terminates TLS before forwarding to IdP, losing client‑cert headerEnable proxy_ssl_verify and forward X-Client-Cert or use end‑to‑end mTLS (no TLS termination at proxy).
Frequent revocation failuresCRL/OCSP endpoint unreachable from IdP and user deviceHost a OCSP responder or cache CRLs; ensure network connectivity.
Certificate renewal breaks sessionsApplications cache the old cert and do not reload new filesUse cronjob or sidecar containers that check the certificate and automate renewal

Conclusion

By integrating device‑bound certificates with your identity provider, you transform authentication from a just a 2 factor authentication model and combine it into a robust multi factor with verifiable trust paradigm. The configurations shown for Keycloak, Authentik, Okta, OneLogin, and Auth0 prove that enabling Certificate ClientAuth is straightforward, often just a few lines of YAML or JSON plus the import of a trusted CA.

When you adopt this pattern:

  • Security posture improves dramatically – compromised passwords no longer grant access.
  • Compliance becomes easier – many regulations (e.g., NIST 800‑63B, PCI DSS) encourage strong mutual authentication.
  • Operational overhead stays low – automated short‑lived cert issuance and rotation eliminate manual key management.

If you’re looking to future‑proof your applications against credential‑theft attacks, make the shift today: empower your identity provider with device trust and let mTLS do the heavy lifting.