[keycloak-dev] Isn't SSL required a global setting?

Stian Thorgersen stian at redhat.com
Fri Jan 10 12:02:49 EST 2014



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 10 January, 2014 4:59:35 PM
> Subject: Re: [keycloak-dev] Isn't SSL required a global setting?
> 
> I don't know.  Maybe some applications will not be able to have HTTPS.
> A realm may want to allow an application to receive auth code redirects
> over an unsecure channel.

You might be right - playing devils advocate here, but wouldn't that mean it should be a per-app config? ;)

> 
> On 1/10/2014 11:49 AM, Stian Thorgersen wrote:
> > Yer, but does it have to be a per-realm thing? It makes more sense to me
> > that by default all traffic to Keycloak is required to be https, unless
> > you explicitly disable it (for dev).
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 10 January, 2014 4:32:25 PM
> >> Subject: Re: [keycloak-dev] Isn't SSL required a global setting?
> >>
> >> "Require SSL" is mainly used to force application/oauth redirect URLs to
> >> be HTTPS endpoints.  Otherwise, auth codes (not tokens) are transmitted
> >> in the clear back to the application.  A nice side-effect is that if the
> >> admin forgets to set up web.xml, the token service will barf too :)
> >>
> >> On 1/10/2014 11:24 AM, Stian Thorgersen wrote:
> >>> At the moment we have a SSL required setting per-realm. I was thinking
> >>> that
> >>> it should be a global configuration for a Keycloak server. In production
> >>> all requests to a Keycloak server should be over https, while in
> >>> development it should be possible to use http for simplicity. That's not
> >>> a
> >>> per-realm thing IMO.
> >>>
> >>> If it's ok that it's a global config, we can drop it from the realm and
> >>> instead add:
> >>>
> >>> <security-constraint>
> >>>       <web-resource-collection>
> >>>           <web-resource-name>keycloak</web-resource-name>
> >>>           <url-pattern>/*</url-pattern>
> >>>       </web-resource-collection>
> >>>       <user-data-constraint>
> >>>           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >>>       </user-data-constraint>
> >>> </security-constraint>
> >>>
> >>> To the web.xml in the distribution. In the documentation we should then
> >>> have two options, first how to configure SSL on WildFly, second how to
> >>> allow HTTP (with a warning that it's only for development!).
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list