Re: [keycloak-dev] Require SSL option
ah ok. Thanks. Currently it's used just for cookies. It's allowed to
have http redirect URLs and authenticate into Keycloak with plain HTTP
protocol. So should I create JIRA to improve that and add more strict
checks based on protocol?
Marek
On 11.12.2013 14:05, Bill Burke wrote:
Require SSL means that all interaction with Keycloak server is
required
to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like
you said, it also will set "secure" on any set Cookies, but that's only
part of it. Other than renaming it to "Require HTTPS", i think the name
is appropriate.
On 12/10/2013 11:20 AM, Marek Posolda wrote:
> Hi,
>
> I would like to ask what exactly is semantics of realm option "Require
> SSL"? My first impression is that if this option is enabled, then access
> to URI like "http://localhost:8080/auth-server/rest/realms/demo/..."
> should be allowed just with 'https' protocol instead of plain
'http'.
> Actually http access to realm is enabled and login works. Option is used
> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
> reauthentication with cookies is effectively disabled. But shouldn't we
> rename this option to something "Use secured cookie" then? Name
"Require
> SSL" seems to be confusing IMO.
>
> There is also one more issue
> https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option
> doesn't affect just KEYCLOAK_IDENTITY cookie but also
> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back
> to login form after successful login in case that login has been
> triggered for AccountManagement application.
>
> WDYT?
> Marek
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>