[keycloak-dev] Require SSL option
Marek Posolda
mposolda at redhat.com
Wed Dec 11 08:34:44 EST 2013
ah ok. Thanks. Currently it's used just for cookies. It's allowed to
have http redirect URLs and authenticate into Keycloak with plain HTTP
protocol. So should I create JIRA to improve that and add more strict
checks based on protocol?
Marek
On 11.12.2013 14:05, Bill Burke wrote:
> Require SSL means that all interaction with Keycloak server is required
> to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like
> you said, it also will set "secure" on any set Cookies, but that's only
> part of it. Other than renaming it to "Require HTTPS", i think the name
> is appropriate.
>
> On 12/10/2013 11:20 AM, Marek Posolda wrote:
>> Hi,
>>
>> I would like to ask what exactly is semantics of realm option "Require
>> SSL"? My first impression is that if this option is enabled, then access
>> to URI like "http://localhost:8080/auth-server/rest/realms/demo/..."
>> should be allowed just with 'https' protocol instead of plain 'http'.
>> Actually http access to realm is enabled and login works. Option is used
>> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
>> reauthentication with cookies is effectively disabled. But shouldn't we
>> rename this option to something "Use secured cookie" then? Name "Require
>> SSL" seems to be confusing IMO.
>>
>> There is also one more issue
>> https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option
>> doesn't affect just KEYCLOAK_IDENTITY cookie but also
>> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back
>> to login form after successful login in case that login has been
>> triggered for AccountManagement application.
>>
>> WDYT?
>> Marek
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
More information about the keycloak-dev
mailing list