Re: [keycloak-user] Disable strict-transport-security header on /auth url
You really do need to use https for both Keycloak and your applications
otherwise you have basically no security, especially with token based
security. Rather than try to circumvent this I strongly suggest you enable
https everywhere.
On Mon, 1 Oct 2018, 21:57 Tungatkar, Niranjan, <Niranjan.Tungatkar(a)arris.com>
wrote:
I have a non-homogeneous set of services (https and http) which use
keycloak for authentication.
My Keycloak instance supports SSL but the services but other services are
http.
I have an admin user which access the https://keycloak-url:31443/auth url
for user management.
I disabled the strict transport security header on all the realms, which
stops strict-transport-security header being sent and thus preventing
redirection to https.
But my problem is whenever the admin user hits the /auth url it sends
strict-transport-security header which messes up my angular app.
Is there a way I can configure the response of /auth or the welcome page
to stop sending the strict-transport-security header.
Thanks
Niranjan.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user