Require SSL means that all interaction with Keycloak server is required to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like you said, it also will set "secure" on any set Cookies, but that's only part of it. Other than renaming it to "Require HTTPS", i think the name is appropriate. On 12/10/2013 11:20 AM, Marek Posolda wrote: > Hi, > > I would like to ask what exactly is semantics of realm option "Require > SSL"? My first impression is that if this option is enabled, then access > to URI like "http://localhost:8080/auth-server/rest/realms/demo/..." > should be allowed just with 'https' protocol instead of plain 'http'. > Actually http access to realm is enabled and login works. Option is used > just for securing cookies like KEYCLOAK_IDENTITY, so that SSO > reauthentication with cookies is effectively disabled. But shouldn't we > rename this option to something "Use secured cookie" then? Name "Require > SSL" seems to be confusing IMO. > > There is also one more issue > https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option > doesn't affect just KEYCLOAK_IDENTITY cookie but also > KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back > to login form after successful login in case that login has been > triggered for AccountManagement application. > > WDYT? > Marek > > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

I think there is a JIRA somewhere to make sure that SSL checks are made if this flag is set. On 12/11/2013 8:34 AM, Marek Posolda wrote: > ah ok. Thanks. Currently it's used just for cookies. It's allowed to > have http redirect URLs and authenticate into Keycloak with plain HTTP > protocol. So should I create JIRA to improve that and add more strict > checks based on protocol? > > Marek > > On 11.12.2013 14:05, Bill Burke wrote: >> Require SSL means that all interaction with Keycloak server is required >> to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like >> you said, it also will set "secure" on any set Cookies, but that's only >> part of it. Other than renaming it to "Require HTTPS", i think the >> name >> is appropriate. >> >> On 12/10/2013 11:20 AM, Marek Posolda wrote: >>> Hi, >>> >>> I would like to ask what exactly is semantics of realm option "Require >>> SSL"? My first impression is that if this option is enabled, then >>> access >>> to URI like "http://localhost:8080/auth-server/rest/realms/demo/..." >>> should be allowed just with 'https' protocol instead of plain 'http'. >>> Actually http access to realm is enabled and login works. Option is >>> used >>> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO >>> reauthentication with cookies is effectively disabled. But >>> shouldn't we >>> rename this option to something "Use secured cookie" then? Name >>> "Require >>> SSL" seems to be confusing IMO. >>> >>> There is also one more issue >>> https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that >>> option >>> doesn't affect just KEYCLOAK_IDENTITY cookie but also >>> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected >>> back >>> to login form after successful login in case that login has been >>> triggered for AccountManagement application. >>> >>> WDYT? >>> Marek >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >