[keycloak-dev] Enable SSL by default

Stian Thorgersen stian at redhat.com
Fri Aug 1 09:46:09 EDT 2014 

Damn, forgot about Docker :/

Current implementation works great for local devs and OpenShift (as https is always on there).

But, with Docker, KVM or anyone using multiple machines to do development they won't be using localhost.

I'm going to also permit private addresses (http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses).

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 1 August, 2014 2:25:38 PM
> Subject: Re: [keycloak-dev] Enable SSL by default
> 
> As usual, great stuff.
> 
> On 8/1/2014 8:55 AM, Stian Thorgersen wrote:
> > Added, ssl-not-required has been replaced with ssl-required with valid
> > options:
> >
> > * all - requires SSL for all requests
> > * external - requires SSL for external requests (default)
> > * none - don't require SSL at all
> >
> > Both the server and adapters have been updated.
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "Bill Burke" <bburke at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 31 July, 2014 4:15:40 PM
> >> Subject: Re: [keycloak-dev] Enable SSL by default
> >>
> >> This is pretty tricky if we want a nice error page. Especially as we need
> >> to
> >> know the realm to know the login theme.
> >>
> >> I'm dropping this, and instead adding
> >> RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will
> >> be
> >> false, while isSslNotRequiredLocalRequest will be true.
> >>
> >> ----- Original Message -----
> >>> From: "Stian Thorgersen" <stian at redhat.com>
> >>> To: "Bill Burke" <bburke at redhat.com>
> >>> Cc: keycloak-dev at lists.jboss.org
> >>> Sent: Thursday, 31 July, 2014 2:04:47 PM
> >>> Subject: Re: [keycloak-dev] Enable SSL by default
> >>>
> >>> I propose we remove the SSL required switch on the Realm. Instead we have
> >>> an
> >>> option to configure SSL requirement in keycloak-server.json, which also
> >>> allows excluding IP addresses.
> >>>
> >>> Default config would be:
> >>>
> >>>    {
> >>>      "https": {
> >>>         "required" : true,
> >>>         "exclude": [ "localhost", "127.0.0.1" ]
> >>>      }
> >>>    }
> >>>
> >>> If someone wants to allow local network traffic without https they could
> >>> change it to:
> >>>
> >>>    {
> >>>      "https": {
> >>>         "required" : true,
> >>>         "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
> >>>      }
> >>>    }
> >>>
> >>> And of course if someone really wants to they can disable it altogether
> >>> with:
> >>>
> >>>    {
> >>>      "https": {
> >>>         "required" : false,
> >>>         "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
> >>>      }
> >>>    }
> >>>
> >>> If no config is specified I think it should default to required: true,
> >>> with
> >>> empty exclude.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: keycloak-dev at lists.jboss.org
> >>>> Sent: Thursday, 31 July, 2014 1:53:48 PM
> >>>> Subject: Re: [keycloak-dev] Enable SSL by default
> >>>>
> >>>> So hardcode the localhost requirement?  That would work.  The switch
> >>>> would be "require ssl" or "non-encrypted localhost only"
> >>>>
> >>>> On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
> >>>>> To make sure no-one goes of and uses Keycloak in production without
> >>>>> HTTPS
> >>>>> we should require SSL by default. To still allow developers to play
> >>>>> with
> >>>>> Keycloak without having to configure HTTPS first we should allow
> >>>>> non-HTTPS
> >>>>> if accessed via localhost only.
> >>>>> _______________________________________________
> >>>>> keycloak-dev mailing list
> >>>>> keycloak-dev at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list