[keycloak-dev] Isn't SSL required a global setting?

Stian Thorgersen stian at redhat.com
Fri Jan 10 11:49:49 EST 2014


Yer, but does it have to be a per-realm thing? It makes more sense to me that by default all traffic to Keycloak is required to be https, unless you explicitly disable it (for dev).

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 10 January, 2014 4:32:25 PM
> Subject: Re: [keycloak-dev] Isn't SSL required a global setting?
> 
> "Require SSL" is mainly used to force application/oauth redirect URLs to
> be HTTPS endpoints.  Otherwise, auth codes (not tokens) are transmitted
> in the clear back to the application.  A nice side-effect is that if the
> admin forgets to set up web.xml, the token service will barf too :)
> 
> On 1/10/2014 11:24 AM, Stian Thorgersen wrote:
> > At the moment we have a SSL required setting per-realm. I was thinking that
> > it should be a global configuration for a Keycloak server. In production
> > all requests to a Keycloak server should be over https, while in
> > development it should be possible to use http for simplicity. That's not a
> > per-realm thing IMO.
> >
> > If it's ok that it's a global config, we can drop it from the realm and
> > instead add:
> >
> > <security-constraint>
> >      <web-resource-collection>
> >          <web-resource-name>keycloak</web-resource-name>
> >          <url-pattern>/*</url-pattern>
> >      </web-resource-collection>
> >      <user-data-constraint>
> >          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> > </security-constraint>
> >
> > To the web.xml in the distribution. In the documentation we should then
> > have two options, first how to configure SSL on WildFly, second how to
> > allow HTTP (with a warning that it's only for development!).
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list