Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 31 October, 2014 7:42:34 PM
Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
On 10/31/2014 4:15 AM, Stian Thorgersen wrote:
> Looks good to me. We should include this in Beta1.
>
> A few comments/questions:
>
> * Can we support enabling confidential transport-guarantee
> (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems to
> be the last requirement for an exploded WAR
Looking this over, it seems pretty important! I think I'd like to go
ahead and implement this option before we merge. I should be able to do
that and also finish the doc updates by the middle of next week. Just
go ahead and release the Beta if you want. I can catch the next release
train.
I plan to implement this as a boolean value on on the server called
"https-required". Is there a better name for it?
<subsystem xmlns="urn:jboss:domain:keycloak:1.0">
<auth-server name="foo">
<enabled>true</enabled>
<web-context>auth</web-context>
<https-required>true</https-required>
</auth-server>
</subsystem>
Should the default be false? I realize that the default in the
appliance dist is false, but should the default always be false?
We already have the option 'ssl-required' on a realm, so that may be confusing.
What about 'redirect-non-ssl'?
It shouldn't be on by default, as that would require setting up ssl for development as
well. We have the 'ssl-required' set to 'external' to give us a compromise
between usability and security.
If true, this will be automatically added to auth-server.war at deploy time:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>