Actually, thinking about it we should just drop the confidential setting in web.xml.
#1 We have ssl-required on realm - there may be traffic where we don't check, but we
should improve instead of relying on setting in web.xml
#2 Users shouldn't access Keycloak directly - users click on links in applications
they don't navigate to a page on KC itself, so there's not really a need to do the
redirect from http
#3 Could be risky - if an application uses a custom adapter/lib (or have the wrong
ssl-required in keycloak.json) and a http library that automatically follows the redirect.
This would mean that an application posts code and client secret to http://.., which
returns a 302, the http library then re-posts to https://... Keycloak would think all
requests are done using ssl (as it doesn't see the initial http request, only the app
server does) and the developer could also be unaware of this, the end result being that an
application would post codes and secrets in clear-text as well as post every request
twice.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Stan Silvert" <ssilvert(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 3 November, 2014 9:19:15 AM
Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
----- Original Message -----
> From: "Stan Silvert" <ssilvert(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 31 October, 2014 7:42:34 PM
> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC
> subsystem
>
> On 10/31/2014 4:15 AM, Stian Thorgersen wrote:
> > Looks good to me. We should include this in Beta1.
> >
> > A few comments/questions:
> >
> > * Can we support enabling confidential transport-guarantee
> > (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems
> > to
> > be the last requirement for an exploded WAR
> Looking this over, it seems pretty important! I think I'd like to go
> ahead and implement this option before we merge. I should be able to do
> that and also finish the doc updates by the middle of next week. Just
> go ahead and release the Beta if you want. I can catch the next release
> train.
>
> I plan to implement this as a boolean value on on the server called
> "https-required". Is there a better name for it?
> <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
> <auth-server name="foo">
> <enabled>true</enabled>
> <web-context>auth</web-context>
> <https-required>true</https-required>
> </auth-server>
> </subsystem>
>
> Should the default be false? I realize that the default in the
> appliance dist is false, but should the default always be false?
We already have the option 'ssl-required' on a realm, so that may be
confusing. What about 'redirect-non-ssl'?
It shouldn't be on by default, as that would require setting up ssl for
development as well. We have the 'ssl-required' set to 'external' to give
us
a compromise between usability and security.
>
> If true, this will be automatically added to auth-server.war at deploy
> time:
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev