[keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem

Stan Silvert ssilvert at redhat.com
Mon Nov 3 09:43:35 EST 2014 

On 11/3/2014 8:40 AM, Stan Silvert wrote:
> Great.  I'll go ahead and remove it from web.xml and remove that section
> from the doco.
Done.  This is in a separate PR.  I don't think I have merge rights, so 
someone else will need to do that.
https://github.com/keycloak/keycloak/pull/834

>
> On 11/3/2014 8:35 AM, Stian Thorgersen wrote:
>> Yep
>>
>> ----- Original Message -----
>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Monday, 3 November, 2014 2:29:41 PM
>>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
>>>
>>> So it is decided then?  We are dropping the confidential setting in web.xml?
>>>
>>> On 11/3/2014 8:20 AM, Bill Burke wrote:
>>>> #3 is a great point.
>>>>
>>>> On 11/3/2014 5:28 AM, Stian Thorgersen wrote:
>>>>> Actually, thinking about it we should just drop the confidential setting
>>>>> in web.xml.
>>>>>
>>>>> #1 We have ssl-required on realm - there may be traffic where we don't
>>>>> check, but we should improve instead of relying on setting in web.xml
>>>>> #2 Users shouldn't access Keycloak directly - users click on links in
>>>>> applications they don't navigate to a page on KC itself, so there's not
>>>>> really a need to do the redirect from http
>>>>> #3 Could be risky - if an application uses a custom adapter/lib (or have
>>>>> the wrong ssl-required in keycloak.json) and a http library that
>>>>> automatically follows the redirect. This would mean that an application
>>>>> posts code and client secret to http://.., which returns a 302, the http
>>>>> library then re-posts to https://... Keycloak would think all requests
>>>>> are done using ssl (as it doesn't see the initial http request, only the
>>>>> app server does) and the developer could also be unaware of this, the end
>>>>> result being that an application would post codes and secrets in
>>>>> clear-text as well as post every request twice.
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
>>>>>> To: "Stan Silvert" <ssilvert at redhat.com>
>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>> Sent: Monday, 3 November, 2014 9:19:15 AM
>>>>>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into
>>>>>> KC subsystem
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>> Sent: Friday, 31 October, 2014 7:42:34 PM
>>>>>>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into
>>>>>>> KC
>>>>>>> subsystem
>>>>>>>
>>>>>>> On 10/31/2014 4:15 AM, Stian Thorgersen wrote:
>>>>>>>> Looks good to me. We should include this in Beta1.
>>>>>>>>
>>>>>>>> A few comments/questions:
>>>>>>>>
>>>>>>>> * Can we support enabling confidential transport-guarantee
>>>>>>>> (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems
>>>>>>>> to
>>>>>>>> be the last requirement for an exploded WAR
>>>>>>> Looking this over, it seems pretty important!  I think I'd like to go
>>>>>>> ahead and implement this option before we merge.  I should be able to do
>>>>>>> that and also finish the doc updates by the middle of next week.  Just
>>>>>>> go ahead and release the Beta if you want.  I can catch the next release
>>>>>>> train.
>>>>>>>
>>>>>>> I plan to implement this as a boolean value on on the server called
>>>>>>> "https-required".   Is there a better name for it?
>>>>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
>>>>>>>                  <auth-server name="foo">
>>>>>>>                      <enabled>true</enabled>
>>>>>>>                      <web-context>auth</web-context>
>>>>>>>                      <https-required>true</https-required>
>>>>>>>                  </auth-server>
>>>>>>> </subsystem>
>>>>>>>
>>>>>>> Should the default be false?  I realize that the default in the
>>>>>>> appliance dist is false, but should the default always be false?
>>>>>> We already have the option 'ssl-required' on a realm, so that may be
>>>>>> confusing. What about 'redirect-non-ssl'?
>>>>>>
>>>>>> It shouldn't be on by default, as that would require setting up ssl for
>>>>>> development as well. We have the 'ssl-required' set to 'external' to give
>>>>>> us
>>>>>> a compromise between usability and security.
>>>>>>
>>>>>>> If true, this will be automatically added to auth-server.war at deploy
>>>>>>> time:
>>>>>>>
>>>>>>> <security-constraint>
>>>>>>>         <web-resource-collection>
>>>>>>>            <url-pattern>/*</url-pattern>
>>>>>>>         </web-resource-collection>
>>>>>>>         <user-data-constraint>
>>>>>>>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>>>>>         </user-data-constraint>
>>>>>>> </security-constraint>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list