[keycloak-dev] Enable SSL by default
Stian Thorgersen
stian at redhat.com
Fri Aug 1 08:55:01 EDT 2014
Added, ssl-not-required has been replaced with ssl-required with valid options:
* all - requires SSL for all requests
* external - requires SSL for external requests (default)
* none - don't require SSL at all
Both the server and adapters have been updated.
----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 31 July, 2014 4:15:40 PM
> Subject: Re: [keycloak-dev] Enable SSL by default
>
> This is pretty tricky if we want a nice error page. Especially as we need to
> know the realm to know the login theme.
>
> I'm dropping this, and instead adding
> RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be
> false, while isSslNotRequiredLocalRequest will be true.
>
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Thursday, 31 July, 2014 2:04:47 PM
> > Subject: Re: [keycloak-dev] Enable SSL by default
> >
> > I propose we remove the SSL required switch on the Realm. Instead we have
> > an
> > option to configure SSL requirement in keycloak-server.json, which also
> > allows excluding IP addresses.
> >
> > Default config would be:
> >
> > {
> > "https": {
> > "required" : true,
> > "exclude": [ "localhost", "127.0.0.1" ]
> > }
> > }
> >
> > If someone wants to allow local network traffic without https they could
> > change it to:
> >
> > {
> > "https": {
> > "required" : true,
> > "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
> > }
> > }
> >
> > And of course if someone really wants to they can disable it altogether
> > with:
> >
> > {
> > "https": {
> > "required" : false,
> > "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
> > }
> > }
> >
> > If no config is specified I think it should default to required: true, with
> > empty exclude.
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > To: keycloak-dev at lists.jboss.org
> > > Sent: Thursday, 31 July, 2014 1:53:48 PM
> > > Subject: Re: [keycloak-dev] Enable SSL by default
> > >
> > > So hardcode the localhost requirement? That would work. The switch
> > > would be "require ssl" or "non-encrypted localhost only"
> > >
> > > On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
> > > > To make sure no-one goes of and uses Keycloak in production without
> > > > HTTPS
> > > > we should require SSL by default. To still allow developers to play
> > > > with
> > > > Keycloak without having to configure HTTPS first we should allow
> > > > non-HTTPS
> > > > if accessed via localhost only.
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > >
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list