[keycloak-dev] Require SSL option
Bill Burke
bburke at redhat.com
Wed Dec 11 08:05:43 EST 2013
Require SSL means that all interaction with Keycloak server is required
to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like
you said, it also will set "secure" on any set Cookies, but that's only
part of it. Other than renaming it to "Require HTTPS", i think the name
is appropriate.
On 12/10/2013 11:20 AM, Marek Posolda wrote:
> Hi,
>
> I would like to ask what exactly is semantics of realm option "Require
> SSL"? My first impression is that if this option is enabled, then access
> to URI like "http://localhost:8080/auth-server/rest/realms/demo/..."
> should be allowed just with 'https' protocol instead of plain 'http'.
> Actually http access to realm is enabled and login works. Option is used
> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
> reauthentication with cookies is effectively disabled. But shouldn't we
> rename this option to something "Use secured cookie" then? Name "Require
> SSL" seems to be confusing IMO.
>
> There is also one more issue
> https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option
> doesn't affect just KEYCLOAK_IDENTITY cookie but also
> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back
> to login form after successful login in case that login has been
> triggered for AccountManagement application.
>
> WDYT?
> Marek
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list