Re: [keycloak-dev] Require SSL option

ah ok. Thanks. Currently it's used just for cookies. It's allowed to have http redirect URLs and authenticate into Keycloak with plain HTTP protocol. So should I create JIRA to improve that and add more strict checks based on protocol? Marek On 11.12.2013 14:05, Bill Burke wrote: > Require SSL means that all interaction with Keycloak server is required > to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like > you said, it also will set "secure" on any set Cookies, but that's only > part of it. Other than renaming it to "Require HTTPS", i think the name > is appropriate. > > On 12/10/2013 11:20 AM, Marek Posolda wrote: >> Hi, >> >> I would like to ask what exactly is semantics of realm option "Require >> SSL"? My first impression is that if this option is enabled, then access >> to URI like "http://localhost:8080/auth-server/rest/realms/demo/..." >> should be allowed just with 'https' protocol instead of plain 'http'. >> Actually http access to realm is enabled and login works. Option is used >> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO >> reauthentication with cookies is effectively disabled. But shouldn't we >> rename this option to something "Use secured cookie" then? Name "Require >> SSL" seems to be confusing IMO. >> >> There is also one more issue >> https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option >> doesn't affect just KEYCLOAK_IDENTITY cookie but also >> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back >> to login form after successful login in case that login has been >> triggered for AccountManagement application. >> >> WDYT? >> Marek >> >> >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>