[keycloak-dev] Require SSL option
Marek Posolda
mposolda at redhat.com
Tue Dec 10 11:20:32 EST 2013
Hi,
I would like to ask what exactly is semantics of realm option "Require
SSL"? My first impression is that if this option is enabled, then access
to URI like "http://localhost:8080/auth-server/rest/realms/demo/..."
should be allowed just with 'https' protocol instead of plain 'http'.
Actually http access to realm is enabled and login works. Option is used
just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
reauthentication with cookies is effectively disabled. But shouldn't we
rename this option to something "Use secured cookie" then? Name "Require
SSL" seems to be confusing IMO.
There is also one more issue
https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option
doesn't affect just KEYCLOAK_IDENTITY cookie but also
KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back
to login form after successful login in case that login has been
triggered for AccountManagement application.
WDYT?
Marek
More information about the keycloak-dev
mailing list