Re: [keycloak-dev] Enable SSL by default

Added, ssl-not-required has been replaced with ssl-required with valid options: * all - requires SSL for all requests * external - requires SSL for external requests (default) * none - don't require SSL at all Both the server and adapters have been updated. ----- Original Message ----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > To: "Bill Burke" <bburke(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 31 July, 2014 4:15:40 PM > Subject: Re: [keycloak-dev] Enable SSL by default > > This is pretty tricky if we want a nice error page. Especially as we need to > know the realm to know the login theme. > > I'm dropping this, and instead adding > RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be > false, while isSslNotRequiredLocalRequest will be true. > > ----- Original Message ----- >> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >> To: "Bill Burke" <bburke(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Thursday, 31 July, 2014 2:04:47 PM >> Subject: Re: [keycloak-dev] Enable SSL by default >> >> I propose we remove the SSL required switch on the Realm. Instead we have >> an >> option to configure SSL requirement in keycloak-server.json, which also >> allows excluding IP addresses. >> >> Default config would be: >> >> { >> "https": { >> "required" : true, >> "exclude": [ "localhost", "127.0.0.1" ] >> } >> } >> >> If someone wants to allow local network traffic without https they could >> change it to: >> >> { >> "https": { >> "required" : true, >> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] >> } >> } >> >> And of course if someone really wants to they can disable it altogether >> with: >> >> { >> "https": { >> "required" : false, >> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] >> } >> } >> >> If no config is specified I think it should default to required: true, with >> empty exclude. >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: keycloak-dev(a)lists.jboss.org >>> Sent: Thursday, 31 July, 2014 1:53:48 PM >>> Subject: Re: [keycloak-dev] Enable SSL by default >>> >>> So hardcode the localhost requirement? That would work. The switch >>> would be "require ssl" or "non-encrypted localhost only" >>> >>> On 7/31/2014 5:40 AM, Stian Thorgersen wrote: >>>> To make sure no-one goes of and uses Keycloak in production without >>>> HTTPS >>>> we should require SSL by default. To still allow developers to play >>>> with >>>> Keycloak without having to configure HTTPS first we should allow >>>> non-HTTPS >>>> if accessed via localhost only. >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >