I think there is a JIRA somewhere to make sure that SSL checks are
made if this flag is set.
On 12/11/2013 8:34 AM, Marek Posolda wrote:
> ah ok. Thanks. Currently it's used just for cookies. It's allowed to
> have http redirect URLs and authenticate into Keycloak with plain HTTP
> protocol. So should I create JIRA to improve that and add more strict
> checks based on protocol?
> On 11.12.2013 14:05, Bill Burke wrote:
>> Require SSL means that all interaction with Keycloak server is required
>> to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like
>> you said, it also will set "secure" on any set Cookies, but that's
>> part of it. Other than renaming it to "Require HTTPS", i think the
>> is appropriate.
>> On 12/10/2013 11:20 AM, Marek Posolda wrote:
>>> I would like to ask what exactly is semantics of realm option "Require
>>> SSL"? My first impression is that if this option is enabled, then
>>> to URI like
>>> should be allowed just with 'https' protocol instead of plain
>>> Actually http access to realm is enabled and login works. Option is
>>> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
>>> reauthentication with cookies is effectively disabled. But
>>> shouldn't we
>>> rename this option to something "Use secured cookie" then? Name
>>> SSL" seems to be confusing IMO.
>>> There is also one more issue
due to the fact that
>>> doesn't affect just KEYCLOAK_IDENTITY cookie but also
>>> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected
>>> to login form after successful login in case that login has been
>>> triggered for AccountManagement application.
>>> keycloak-dev mailing list