added dependabot, updated docs (#10)

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "maven" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

README.md

@@ -1,7 +1,7 @@
 # Keycloak X509 Client Certificate Lookup for Envoy
 
-This project provides an X509 client certificate lookup implementation for Envoy.
-It allows Keycloak to retrieve the client certificate from the `x-forwarded-client-cert` (XFCC) header set by [Envoy proxy](https://www.envoyproxy.io/) and use it for authorization.
+This project provides an X509 client certificate lookup implementation for [Envoy proxy](https://www.envoyproxy.io/).
+It allows Keycloak to retrieve the client certificate from the `x-forwarded-client-cert` (XFCC) header set by Envoy and use it for authorization.
 For more information, refer to [Keycloak's reverse proxy documentation](https://www.keycloak.org/server/reverseproxy) and the section [Enabling client certificate lookup](https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup).
 See also [Envoy's documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert) on XFCC header.
 

docs/assets/README.md

@@ -0,0 +1,10 @@
+### Important Note for Contributors Updating Diagrams
+
+The images in this project are created using [draw.io](https://app.diagrams.net/).
+When updating these diagrams, please make sure you include a copy of the original draw.io file by following these steps:
+
+1. Go to File > Export as > SVG.
+2. Check the option for Transparent Background.
+3. Set Appearance to automatic (for dark/light mode compatibility).
+4. Check the box for Include a copy of my diagram.
+5. Click Export.

docs/security-and-client-cert-forwarding.md

@@ -1,8 +1,3 @@
-<!-- Note for contributors: -->
-<!-- The images in this document are drawn in https://app.diagrams.net/. -->
-<!-- To edit the images in the editor to see the original vector diagram. -->
-<!-- When saving the updated diagram, remember include copy of the original diagram -->
-
 # Understanding Client Certificate Forwarding and Security Implications
 
 This document outlines the security implications and risks of enabling client certificate forwarding in reverse proxies.
@@ -13,9 +8,12 @@ However, in environments like Kubernetes, some clients may bypass the proxy, lea
 
 ## Overview
 
-`x-forwarded-client-cert` (XFCC) is a proxy header which indicates certificate information of the client, determined by Envoy when terminating the external TLS connection established by the client.
-Envoy terminates the TLS connection and validates the client certificate.
-If the certificate is valid, Envoy forwards the certificate information to the backend service, such as Keycloak, in the XFCC header.
+The `x-forwarded-client-cert` (XFCC) header is used by Envoy proxy to send the client certificate information to the backend service, such as Keycloak.
+When Envoy terminates an external TLS connection initiated by a client, it performs a TLS handshake.
+During this handshake, the client can present a client certificate.
+Envoy verifies that the client possesses the corresponding private key and validates the certificate.
+After successful validation, Envoy forwards the certificate to the backend service via the XFCC header.
+Keycloak then uses the certificate for authorization purposes.
 
 ![image](assets/xfcc-intro.drawio.svg)
 
@@ -33,7 +31,7 @@ Pre-conditions:
 Scenario:
 
 Authentication fails because the SPI implementation expects the identity from the XFCC header, which is not set for internal clients.
-Therefore, the client certificate is not retrieved from the TLS connection.
+The client certificate information from the TLS layer is not used.
 
 ![image](assets/xfcc-scenario-1.drawio.svg)