Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem

From: "Stan Silvert" <ssilvert(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Monday, 3 November, 2014 2:29:41 PM Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem So it is decided then? We are dropping the confidential setting in web.xml? On 11/3/2014 8:20 AM, Bill Burke wrote: > #3 is a great point. > > On 11/3/2014 5:28 AM, Stian Thorgersen wrote: >> Actually, thinking about it we should just drop the confidential setting >> in web.xml. >> >> #1 We have ssl-required on realm - there may be traffic where we don't >> check, but we should improve instead of relying on setting in web.xml >> #2 Users shouldn't access Keycloak directly - users click on links in >> applications they don't navigate to a page on KC itself, so there's not >> really a need to do the redirect from http >> #3 Could be risky - if an application uses a custom adapter/lib (or have >> the wrong ssl-required in keycloak.json) and a http library that >> automatically follows the redirect. This would mean that an application >> posts code and client secret to http://.., which returns a 302, the http >> library then re-posts to https://... Keycloak would think all requests >> are done using ssl (as it doesn't see the initial http request, only the >> app server does) and the developer could also be unaware of this, the end >> result being that an application would post codes and secrets in >> clear-text as well as post every request twice. >> >> >> >> ----- Original Message ----- >>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> To: "Stan Silvert" <ssilvert(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Monday, 3 November, 2014 9:19:15 AM >>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into >>> KC subsystem >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Stan Silvert" <ssilvert(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: keycloak-dev(a)lists.jboss.org >>>> Sent: Friday, 31 October, 2014 7:42:34 PM >>>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into >>>> KC >>>> subsystem >>>> >>>> On 10/31/2014 4:15 AM, Stian Thorgersen wrote: >>>>> Looks good to me. We should include this in Beta1. >>>>> >>>>> A few comments/questions: >>>>> >>>>> * Can we support enabling confidential transport-guarantee >>>>> (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems >>>>> to >>>>> be the last requirement for an exploded WAR >>>> Looking this over, it seems pretty important! I think I'd like to go >>>> ahead and implement this option before we merge. I should be able to do >>>> that and also finish the doc updates by the middle of next week. Just >>>> go ahead and release the Beta if you want. I can catch the next release >>>> train. >>>> >>>> I plan to implement this as a boolean value on on the server called >>>> "https-required". Is there a better name for it? >>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.0"> >>>> <auth-server name="foo"> >>>> <enabled>true</enabled> >>>> <web-context>auth</web-context> >>>> <https-required>true</https-required> >>>> </auth-server> >>>> </subsystem> >>>> >>>> Should the default be false? I realize that the default in the >>>> appliance dist is false, but should the default always be false? >>> We already have the option 'ssl-required' on a realm, so that may be >>> confusing. What about 'redirect-non-ssl'? >>> >>> It shouldn't be on by default, as that would require setting up ssl for >>> development as well. We have the 'ssl-required' set to 'external' to give >>> us >>> a compromise between usability and security. >>> >>>> If true, this will be automatically added to auth-server.war at deploy >>>> time: >>>> >>>> <security-constraint> >>>> <web-resource-collection> >>>> <url-pattern>/*</url-pattern> >>>> </web-resource-collection> >>>> <user-data-constraint> >>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >>>> </user-data-constraint> >>>> </security-constraint> >>>> >>>> >>>> >>>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev