Support for mTLS within desktop & mobile

[RihanArfan]

Please could you add support for mutual TLS (also known as TLS client authentication) within the mobile and desktop apps?

On Windows, ideally the certificate/path could be also be configured via registry so MDM solutions can roll this out at scale in enterprises.

Why

I want to expose OpenCloud to the internet behind an OAuth2 proxy (so a user needs to be authenticated for their request to reach OpenCloud). This could be bypassed if presenting a client certificate (mTLS) for authentication because the apps need to reach the API without facing redirects to login page etc from the reverse proxy.

This feature is something which I foresee being used by both advanced homelab users, and enterprises with high security standards.

Similar

Immich, a Google Photos alternative supports mTLS - immich-app/immich#10860

Users using Cloudflare Access can use mutual TLS with Cloudflare Enterprise but homelab users can use Cloudflare Access service tokens which simply needs two headers to bypass authentication. So in addition, supporting adding headers to requests would be appreciated.

[michaelstingl]

I understand your use case for exposing OpenCloud behind an OAuth2 proxy while enabling mobile/desktop apps to bypass authentication using mTLS. After researching this, I'd like to propose an alternative approach that might be more elegant and require no changes to OpenCloud itself.

The IdP-based mTLS Solution

Since OpenCloud already supports OpenID Connect with external IdPs, you can implement mTLS authentication at the IdP level instead. This approach works because:

1. OpenCloud's iOS app uses ASWebAuthenticationSession for OIDC login
2. The desktop app uses the system browser for authentication
3. Both have access to system-installed certificates

How It Works

Mobile/Desktop App → OpenCloud (OIDC) → IdP with mTLS → User Authentication

The flow remains standard OIDC from the app's perspective, but the IdP handles certificate-based authentication.

Implementation with Keycloak

OpenCloud has excellent Keycloak integration, and Keycloak fully supports mTLS authentication. Here's how to set it up:

1. Enable mTLS in Keycloak

# Enable client certificate authentication
bin/kc.sh start --https-client-auth=required

# Configure truststore for client certificates
bin/kc.sh start --https-trust-store-file=/path/to/truststore.jks

2. Configure X.509 Authentication Flow

1. In Keycloak Admin Console, go to Authentication → Flows
2. Copy the "Browser" flow
3. Add "X509/Validate Username Form" as an alternative to password authentication
4. Configure certificate-to-user mapping (e.g., Subject's email to Keycloak username)

3. OpenCloud Configuration

No changes needed! OpenCloud continues to use standard OIDC. The mTLS authentication happens transparently at the IdP level.

Benefits of This Approach

• ✅ No modifications to OpenCloud or its apps required
• ✅ Uses existing, well-tested OIDC integration
• ✅ System certificates work seamlessly with ASWebAuthenticationSession and browsers
• ✅ Centralized certificate management at the IdP
• ✅ Works with both built-in and external Keycloak deployments
• ✅ Enterprise-ready solution with Keycloak's robust mTLS support

Other IdP Options

While Keycloak has the best mTLS support among open-source IdPs, here's a comparison:

IdP	mTLS Support	Notes
Keycloak	✅ Full support	Native X.509 authentication, OAuth2 mTLS client auth, certificate-bound tokens
Authentik	❌ No	Would require reverse proxy for mTLS
Dex	❌ No	Feature requested but not implemented
Ory Hydra	⚠️ In development	Planned but not yet available

Conclusion

Instead of implementing mTLS directly in OpenCloud's apps, leveraging the existing OIDC integration with an IdP that supports mTLS (like Keycloak) provides a cleaner, more maintainable solution. This approach:

1. Maintains the standard OIDC flow for apps
2. Centralizes authentication complexity at the IdP
3. Requires no changes to OpenCloud's codebase
4. Provides the same security benefits you're looking for

The OAuth2 proxy remains in front of OpenCloud for browser access, while the mobile/desktop apps authenticate via OIDC to the mTLS-enabled IdP, receiving standard tokens that OpenCloud already knows how to handle.

Would this approach work for your use case? Happy to discuss further or help with implementation details!

[micbar]

Interesting proposal.

[RihanArfan]

Thank you very much for investigating and replying ❤️

I believe you've understood my request as supporting mTLS as an IdP method, and as you've pointed out is possible now with Keycloak and soon Ory Hydra. However what I meant is in my use case mTLS is being used as an authentication method for the reverse proxy in front of OpenCloud. This is to bypass the login SSO redirect of the proxy (the http request hasn't reached OpenCloud yet). Apologies for my poor explanation earlier 😅

Using an identity-aware proxy is a zero trust way to expose sensitive resources to the internet without needing VPN clients etc. This also protects from exploits in the underlying application as requests can only reach the application after passing authentication. In my scenario (homelab) I want to share OpenCloud with other users who cannot use a VPN client, so this is a safe way to achieve that.