Re: [keycloak-dev] Require SSL option
Require SSL means that all interaction with Keycloak server is required
to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like
you said, it also will set "secure" on any set Cookies, but that's only
part of it. Other than renaming it to "Require HTTPS", i think the name
is appropriate.
On 12/10/2013 11:20 AM, Marek Posolda wrote:
Hi,
I would like to ask what exactly is semantics of realm option "Require
SSL"? My first impression is that if this option is enabled, then access
to URI like "http://localhost:8080/auth-server/rest/realms/demo/..."
should be allowed just with 'https' protocol instead of plain 'http'.
Actually http access to realm is enabled and login works. Option is used
just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
reauthentication with cookies is effectively disabled. But shouldn't we
rename this option to something "Use secured cookie" then? Name "Require
SSL" seems to be confusing IMO.
There is also one more issue
https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option
doesn't affect just KEYCLOAK_IDENTITY cookie but also
KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back
to login form after successful login in case that login has been
triggered for AccountManagement application.
WDYT?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com