I have got a number of microservices that I want to protect using Apache's APISIX in conjunction with Keycloak for authentication.
What have I accomplished so far? Using OpenID Connect, I can use Keycloak/APISIX to authenticate users via access/bearer tokens (APISix integration with keycloak). This works well.
Now, I want to extend this to use X.509 client certificates instead. Honestly, I'm struggling to understand the workflow to make this happen. I've read through the Keycloak online documentation, but there are bits of knowledge I am lacking.
For example, what I'd like to understand is what role APISIX would play when using X.509 certificates. How would it be different from using access tokens?
Not an expert in any of the two, Keycloak or APISIX, but I believe APISIX plays no role in that. As far as it's concerned, if the client has a Bearer token, that's all it needs. If the Bearer token was issued after a username/password, OTP, mutual TLS, or OIDC authentication, that is irrelevant to the API Gateway. The only thing APISIX needs to do is to validate the token, which by what you said, it's already doing.