<div dir="ltr"><div><div>Yep, it appears so.<br><br></div>So, we're either talking about a feature, or some sort behaviour that is desired. Right? <br><br></div><br>Anyway, thanks for clarifying this.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 10, 2015 at 2:13 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
----- Original Message -----<br>
> From: "Orestis Tsakiridis" <<a href="mailto:orestis.tsakiridis@telestax.com">orestis.tsakiridis@telestax.com</a>><br>
</span><span class="">> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Wednesday, 10 June, 2015 12:57:28 PM<br>
> Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired == all<br>
><br>
> Indeed. I've already switched my application to https.<br>
><br>
> The reason i'm asking this is because before switching i got blank (no<br>
> content) responses from the application's endpoints. HTTP status code was<br>
> 200 but there was no content returned. At the same time the following<br>
> warning appeared in the logs.<br>
><br>
> 12:21:55,085 WARNÂ [org.keycloak.adapters.RequestAuthenticator]<br>
> (http-/192.168.1.39:8080-4) SSL is required to authenticate<br>
<br>
</span>In that case I'm probably mistaken and the Keycloak adapter actually checks that the request uses SSL when there's a token in it. That would make sense to me that it does, but I wasn't aware that it did ;)<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
><br>
> On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Orestis Tsakiridis" <<a href="mailto:orestis.tsakiridis@telestax.com">orestis.tsakiridis@telestax.com</a>><br>
> > > To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Wednesday, 10 June, 2015 8:57:01 AM<br>
> > > Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==<br>
> > all<br>
> > ><br>
> > > Hello,<br>
> > ><br>
> > > Can keycloak operate on HTTPS while the REST application it protects<br>
> > runs on<br>
> > > HTTP?<br>
> > ><br>
> > > I've also set "Require SSL" to "all requests"<br>
> ><br>
> > Keycloak only deals with request made to the Keycloak Server and doesn't<br>
> > put any restriction on the request to your rest endpoints. However, as you<br>
> > are passing the token in requests to your rest endpoints it wouldn't be the<br>
> > best idea to not use ssl. Although the risk can be mitigated slightly by<br>
> > having short lifespan on access tokens.<br>
> ><br>
> > ><br>
> > ><br>
> > > Regards<br>
> > ><br>
> > > Orestis<br>
> > ><br>
> > > _______________________________________________<br>
> > > keycloak-user mailing list<br>
> > > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>