Re: [keycloak-dev] Enable SSL by default
I propose we remove the SSL required switch on the Realm. Instead we have an option to
configure SSL requirement in keycloak-server.json, which also allows excluding IP
addresses.
Default config would be:
{
"https": {
"required" : true,
"exclude": [ "localhost", "127.0.0.1" ]
}
}
If someone wants to allow local network traffic without https they could change it to:
{
"https": {
"required" : true,
"exclude": [ "localhost", "127.0.0.1",
"10.9.10.*" ]
}
}
And of course if someone really wants to they can disable it altogether with:
{
"https": {
"required" : false,
"exclude": [ "localhost", "127.0.0.1",
"10.9.10.*" ]
}
}
If no config is specified I think it should default to required: true, with empty
exclude.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 31 July, 2014 1:53:48 PM
Subject: Re: [keycloak-dev] Enable SSL by default
So hardcode the localhost requirement? That would work. The switch
would be "require ssl" or "non-encrypted localhost only"
On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
> To make sure no-one goes of and uses Keycloak in production without HTTPS
> we should require SSL by default. To still allow developers to play with
> Keycloak without having to configure HTTPS first we should allow non-HTTPS
> if accessed via localhost only.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev