Karel Piwko following with our conversation on #keycloak, the security impact would be open another point of vulnerability, but if we're not under HTTPS either way things will be messy.

The agreement was to implement on Keycloak HTTPS by default and HTTP for localhost like described here: http://lists.jboss.org/pipermail/keycloak-dev/2014-July/002330.html