[keycloak-dev] Require SSL option
Marek Posolda
mposolda at redhat.com
Thu Dec 12 12:42:31 EST 2013
I did not found any related JIRA so created
https://issues.jboss.org/browse/KEYCLOAK-232 .
Marek
On 11.12.2013 14:54, Bill Burke wrote:
> I think there is a JIRA somewhere to make sure that SSL checks are
> made if this flag is set.
>
> On 12/11/2013 8:34 AM, Marek Posolda wrote:
>> ah ok. Thanks. Currently it's used just for cookies. It's allowed to
>> have http redirect URLs and authenticate into Keycloak with plain HTTP
>> protocol. So should I create JIRA to improve that and add more strict
>> checks based on protocol?
>>
>> Marek
>>
>> On 11.12.2013 14:05, Bill Burke wrote:
>>> Require SSL means that all interaction with Keycloak server is required
>>> to be HTTPS. All redirect URLs must also use the HTTPS protocol. Like
>>> you said, it also will set "secure" on any set Cookies, but that's only
>>> part of it. Other than renaming it to "Require HTTPS", i think the
>>> name
>>> is appropriate.
>>>
>>> On 12/10/2013 11:20 AM, Marek Posolda wrote:
>>>> Hi,
>>>>
>>>> I would like to ask what exactly is semantics of realm option "Require
>>>> SSL"? My first impression is that if this option is enabled, then
>>>> access
>>>> to URI like "http://localhost:8080/auth-server/rest/realms/demo/..."
>>>> should be allowed just with 'https' protocol instead of plain 'http'.
>>>> Actually http access to realm is enabled and login works. Option is
>>>> used
>>>> just for securing cookies like KEYCLOAK_IDENTITY, so that SSO
>>>> reauthentication with cookies is effectively disabled. But
>>>> shouldn't we
>>>> rename this option to something "Use secured cookie" then? Name
>>>> "Require
>>>> SSL" seems to be confusing IMO.
>>>>
>>>> There is also one more issue
>>>> https://issues.jboss.org/browse/KEYCLOAK-227 due to the fact that
>>>> option
>>>> doesn't affect just KEYCLOAK_IDENTITY cookie but also
>>>> KEYCLOAK_ACCOUNT_IDENTITY, which means that I am always redirected
>>>> back
>>>> to login form after successful login in case that login has been
>>>> triggered for AccountManagement application.
>>>>
>>>> WDYT?
>>>> Marek
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>
>
More information about the keycloak-dev
mailing list