To make sure no-one goes of and uses Keycloak in production without HTTPS we should require SSL by default. To still allow developers to play with Keycloak without having to configure HTTPS first we should allow non-HTTPS if accessed via localhost only. _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

----- Original Message ----- > From: "Bruno Oliveira" <bruno(a)abstractj.org&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > Sent: Thursday, 31 July, 2014 11:11:44 AM > Subject: Re: [keycloak-dev] Enable SSL by default > > +1 on enforcing it. Do we have any plans around HSTS? Or this is > something that sysadmins should configure into their servers? Currently we have an option to disable SSL for each realm (enabled by default), adding HSTS could be tricky as we'd need to know what the option in KC. I'm not convinced we should have the option to disable SSL per-realm, instead we could make it into a global option for the whole server. A server is either in dev or production mode, I don't see a use-case to have one secure realm and one unsecure at the same time. That would make it a lot simpler to set the HSTS header in a jax-rs filter, also make it easier for us to check if SSL (for all requests) is enabled in the jax-rs filter. > > On 2014-07-31, Stian Thorgersen wrote: > > To make sure no-one goes of and uses Keycloak in production without HTTPS > > we should require SSL by default. To still allow developers to play with > > Keycloak without having to configure HTTPS first we should allow non-HTTPS > > if accessed via localhost only. > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > -- > > abstractj > PGP: 0x84DC9914 >

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Thursday, 31 July, 2014 1:53:48 PM Subject: Re: [keycloak-dev] Enable SSL by default So hardcode the localhost requirement? That would work. The switch would be "require ssl" or "non-encrypted localhost only" On 7/31/2014 5:40 AM, Stian Thorgersen wrote: > To make sure no-one goes of and uses Keycloak in production without HTTPS > we should require SSL by default. To still allow developers to play with > Keycloak without having to configure HTTPS first we should allow non-HTTPS > if accessed via localhost only. > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, 31 July, 2014 4:15:40 PM Subject: Re: [keycloak-dev] Enable SSL by default This is pretty tricky if we want a nice error page. Especially as we need to know the realm to know the login theme. I'm dropping this, and instead adding RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be false, while isSslNotRequiredLocalRequest will be true. ----- Original Message ----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > To: "Bill Burke" <bburke(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 31 July, 2014 2:04:47 PM > Subject: Re: [keycloak-dev] Enable SSL by default > > I propose we remove the SSL required switch on the Realm. Instead we have > an > option to configure SSL requirement in keycloak-server.json, which also > allows excluding IP addresses. > > Default config would be: > > { > "https": { > "required" : true, > "exclude": [ "localhost", "127.0.0.1" ] > } > } > > If someone wants to allow local network traffic without https they could > change it to: > > { > "https": { > "required" : true, > "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] > } > } > > And of course if someone really wants to they can disable it altogether > with: > > { > "https": { > "required" : false, > "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] > } > } > > If no config is specified I think it should default to required: true, with > empty exclude. > > ----- Original Message ----- > > From: "Bill Burke" <bburke(a)redhat.com&gt; > > To: keycloak-dev(a)lists.jboss.org > > Sent: Thursday, 31 July, 2014 1:53:48 PM > > Subject: Re: [keycloak-dev] Enable SSL by default > > > > So hardcode the localhost requirement? That would work. The switch > > would be "require ssl" or "non-encrypted localhost only" > > > > On 7/31/2014 5:40 AM, Stian Thorgersen wrote: > > > To make sure no-one goes of and uses Keycloak in production without > > > HTTPS > > > we should require SSL by default. To still allow developers to play > > > with > > > Keycloak without having to configure HTTPS first we should allow > > > non-HTTPS > > > if accessed via localhost only. > > > _______________________________________________ > > > keycloak-dev mailing list > > > keycloak-dev(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 1 August, 2014 2:25:38 PM Subject: Re: [keycloak-dev] Enable SSL by default As usual, great stuff. On 8/1/2014 8:55 AM, Stian Thorgersen wrote: > Added, ssl-not-required has been replaced with ssl-required with valid > options: > > * all - requires SSL for all requests > * external - requires SSL for external requests (default) > * none - don't require SSL at all > > Both the server and adapters have been updated. > > ----- Original Message ----- >> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >> To: "Bill Burke" <bburke(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Thursday, 31 July, 2014 4:15:40 PM >> Subject: Re: [keycloak-dev] Enable SSL by default >> >> This is pretty tricky if we want a nice error page. Especially as we need >> to >> know the realm to know the login theme. >> >> I'm dropping this, and instead adding >> RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will >> be >> false, while isSslNotRequiredLocalRequest will be true. >> >> ----- Original Message ----- >>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> To: "Bill Burke" <bburke(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Thursday, 31 July, 2014 2:04:47 PM >>> Subject: Re: [keycloak-dev] Enable SSL by default >>> >>> I propose we remove the SSL required switch on the Realm. Instead we have >>> an >>> option to configure SSL requirement in keycloak-server.json, which also >>> allows excluding IP addresses. >>> >>> Default config would be: >>> >>> { >>> "https": { >>> "required" : true, >>> "exclude": [ "localhost", "127.0.0.1" ] >>> } >>> } >>> >>> If someone wants to allow local network traffic without https they could >>> change it to: >>> >>> { >>> "https": { >>> "required" : true, >>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] >>> } >>> } >>> >>> And of course if someone really wants to they can disable it altogether >>> with: >>> >>> { >>> "https": { >>> "required" : false, >>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] >>> } >>> } >>> >>> If no config is specified I think it should default to required: true, >>> with >>> empty exclude. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: keycloak-dev(a)lists.jboss.org >>>> Sent: Thursday, 31 July, 2014 1:53:48 PM >>>> Subject: Re: [keycloak-dev] Enable SSL by default >>>> >>>> So hardcode the localhost requirement? That would work. The switch >>>> would be "require ssl" or "non-encrypted localhost only" >>>> >>>> On 7/31/2014 5:40 AM, Stian Thorgersen wrote: >>>>> To make sure no-one goes of and uses Keycloak in production without >>>>> HTTPS >>>>> we should require SSL by default. To still allow developers to play >>>>> with >>>>> Keycloak without having to configure HTTPS first we should allow >>>>> non-HTTPS >>>>> if accessed via localhost only. >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com