[keycloak-user] Mixing https/http schemes with sslRequired == all

Stian Thorgersen stian at redhat.com
Wed Jun 10 13:16:08 EDT 2015



----- Original Message -----
> From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, 10 June, 2015 5:09:31 PM
> Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired == all
> 
> Yep, it appears so.
> 
> So, we're either talking about a feature, or some sort behaviour that is
> desired. Right?

Yes, it is indeed the desired behavior.

> 
> 
> Anyway, thanks for clarifying this.
> 
> On Wed, Jun 10, 2015 at 2:13 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 10 June, 2015 12:57:28 PM
> > > Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired
> > == all
> > >
> > > Indeed. I've already switched my application to https.
> > >
> > > The reason i'm asking this is because before switching i got blank (no
> > > content) responses from the application's endpoints. HTTP status code was
> > > 200 but there was no content returned. At the same time the following
> > > warning appeared in the logs.
> > >
> > > 12:21:55,085 WARN  [org.keycloak.adapters.RequestAuthenticator]
> > > (http-/192.168.1.39:8080-4) SSL is required to authenticate
> >
> > In that case I'm probably mistaken and the Keycloak adapter actually
> > checks that the request uses SSL when there's a token in it. That would
> > make sense to me that it does, but I wasn't aware that it did ;)
> >
> > >
> > >
> > > On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Wednesday, 10 June, 2015 8:57:01 AM
> > > > > Subject: [keycloak-user] Mixing https/http schemes with sslRequired
> > ==
> > > > all
> > > > >
> > > > > Hello,
> > > > >
> > > > > Can keycloak operate on HTTPS while the REST application it protects
> > > > runs on
> > > > > HTTP?
> > > > >
> > > > > I've also set "Require SSL" to "all requests"
> > > >
> > > > Keycloak only deals with request made to the Keycloak Server and
> > doesn't
> > > > put any restriction on the request to your rest endpoints. However, as
> > you
> > > > are passing the token in requests to your rest endpoints it wouldn't
> > be the
> > > > best idea to not use ssl. Although the risk can be mitigated slightly
> > by
> > > > having short lifespan on access tokens.
> > > >
> > > > >
> > > > >
> > > > > Regards
> > > > >
> > > > > Orestis
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> >
> 


More information about the keycloak-user mailing list