This might also be interesting when connecting to Nextcloud with SSO & SAML authentication ¹.

Very similarly, OIDC support is so close with keycloak. The client almost works in that it redirects correctly to the OIDC IDP and presents the correct certifcate for mutual TLS, but then since it issues a PROPFIND, keycloak presents an error instead of redirecting it. Going to see if I can get keycloak to accept a PROPFIND request...

Very similarly, OIDC support is so close with keycloak. The client almost works in that it redirects correctly to the OIDC IDP and presents the correct certifcate for mutual TLS, but then since it issues a PROPFIND, keycloak presents an error instead of redirecting it. Going to see if I can get keycloak to accept a PROPFIND request...

The first request sent should be a HEAD. It would be great if you can share the configuration of your setup so we might be able to assist.

Yes, it is, and MountainDuck and Cyberduck are the same in this.

• The first request is the HEAD request to the WebDAV server (a custom one written in Go) which is TLS but not mutual TLS (no client cert required). Since there's no session cookie, the server sends a redirect with some server generated parameters and both clients follow it.
• They then make a TLS connection to the second domain (a keycloak instance) where they are redirected (which is configured for mutual TLS) and use the certificate on the smart card successfully, but the HTTP method underneath is a PROPFIND. Since keycloak doesn't support that, it gives a 405 error. If that's a GET request instead, keycloak would send another redirect back to the first server but now with the "code" and "state" parameters that's part of the OIDC protocol. (https://openid.net/developers/how-connect-works/)
• Then finally a 3rd request would be made back to the original WebDAV server to a particular endpoint /auth/openid/login and the "code" would be exchanged with keycloak in a server-to-server way such that the WebDAV server now knows which user this is, and the WebDAV server issues a session cookie to the client and now I don't need to keep my smart card in my system all the time.

Since the WebDAV server is custom, I don't have many requirements over it because I can make it work with whatever the client sends as long as the client supports redirects and cookies (which both Mountain Duck and Cyberduck do). So I really only need a minor configuration change for this flow to work I believe which is something to the effect of a checkbox/boolean for "Send GET requests for 3rd party servers" (e.g., detect that keycloak isn't the originating domain and you were redirected there, do a GET request instead, then follow whatever redirect it gives you) or maybe "Send GET requests for all redirects received" (though maybe WebDAV allows redirects sometimes, like in the case of a symlink?)