[keycloak-dev] Require SSL option
Bill Burke
bburke at redhat.com
Wed Dec 11 08:54:09 EST 2013
I think there is a JIRA somewhere to make sure that SSL checks are made
if this flag is set.
On 12/11/2013 8:34 AM, Marek Posolda wrote:
> ah ok. Thanks. Currently it's used just for cookies. It's allowed to
> have http redirect URLs and authenticate into Keycloak with plain HTTP
> protocol. So should I create JIRA to improve that and add more strict
> checks based on protocol?
>
> Marek
>
> On 11.12.2013 14:05, Bill Burke wrote:
>> Require SSL means that all interaction with Keycloak server is required
>> to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like
>> you said, it also will set "secure" on any set Cookies, but that's only
>> part of it. Other than renaming it to "Require HTTPS", i think the name
>> is appropriate.
>>
>> On 12/10/2013 11:20 AM, Marek Posolda wrote:
>>> Hi,
>>>
>>> I would like to ask what exactly is semantics of realm option "Require
>>> SSL"? My first impression is that if this option is enabled, then access
>>> to URI like "http://localhost:8080/auth-server/rest/realms/demo/..."
>>> should be allowed just with 'https' protocol instead of plain 'http'.
>>> Actually http access to realm is enabled and login works. Option is used
>>> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
>>> reauthentication with cookies is effectively disabled. But shouldn't we
>>> rename this option to something "Use secured cookie" then? Name "Require
>>> SSL" seems to be confusing IMO.
>>>
>>> There is also one more issue
>>> https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that option
>>> doesn't affect just KEYCLOAK_IDENTITY cookie but also
>>> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected back
>>> to login form after successful login in case that login has been
>>> triggered for AccountManagement application.
>>>
>>> WDYT?
>>> Marek
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list