[keycloak-dev] Enable SSL by default
Stian Thorgersen
stian at redhat.com
Thu Jul 31 09:04:47 EDT 2014
I propose we remove the SSL required switch on the Realm. Instead we have an option to configure SSL requirement in keycloak-server.json, which also allows excluding IP addresses.
Default config would be:
{
"https": {
"required" : true,
"exclude": [ "localhost", "127.0.0.1" ]
}
}
If someone wants to allow local network traffic without https they could change it to:
{
"https": {
"required" : true,
"exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
}
}
And of course if someone really wants to they can disable it altogether with:
{
"https": {
"required" : false,
"exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
}
}
If no config is specified I think it should default to required: true, with empty exclude.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 31 July, 2014 1:53:48 PM
> Subject: Re: [keycloak-dev] Enable SSL by default
>
> So hardcode the localhost requirement? That would work. The switch
> would be "require ssl" or "non-encrypted localhost only"
>
> On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
> > To make sure no-one goes of and uses Keycloak in production without HTTPS
> > we should require SSL by default. To still allow developers to play with
> > Keycloak without having to configure HTTPS first we should allow non-HTTPS
> > if accessed via localhost only.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list