[keycloak-dev] Isn't SSL required a global setting?

Stian Thorgersen stian at redhat.com
Fri Jan 10 12:35:33 EST 2014


Created https://issues.jboss.org/browse/KEYCLOAK-260 to track this

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 10 January, 2014 5:02:49 PM
> Subject: Re: [keycloak-dev] Isn't SSL required a global setting?
> 
> 
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Friday, 10 January, 2014 4:59:35 PM
> > Subject: Re: [keycloak-dev] Isn't SSL required a global setting?
> > 
> > I don't know.  Maybe some applications will not be able to have HTTPS.
> > A realm may want to allow an application to receive auth code redirects
> > over an unsecure channel.
> 
> You might be right - playing devils advocate here, but wouldn't that mean it
> should be a per-app config? ;)
> 
> > 
> > On 1/10/2014 11:49 AM, Stian Thorgersen wrote:
> > > Yer, but does it have to be a per-realm thing? It makes more sense to me
> > > that by default all traffic to Keycloak is required to be https, unless
> > > you explicitly disable it (for dev).
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: keycloak-dev at lists.jboss.org
> > >> Sent: Friday, 10 January, 2014 4:32:25 PM
> > >> Subject: Re: [keycloak-dev] Isn't SSL required a global setting?
> > >>
> > >> "Require SSL" is mainly used to force application/oauth redirect URLs to
> > >> be HTTPS endpoints.  Otherwise, auth codes (not tokens) are transmitted
> > >> in the clear back to the application.  A nice side-effect is that if the
> > >> admin forgets to set up web.xml, the token service will barf too :)
> > >>
> > >> On 1/10/2014 11:24 AM, Stian Thorgersen wrote:
> > >>> At the moment we have a SSL required setting per-realm. I was thinking
> > >>> that
> > >>> it should be a global configuration for a Keycloak server. In
> > >>> production
> > >>> all requests to a Keycloak server should be over https, while in
> > >>> development it should be possible to use http for simplicity. That's
> > >>> not
> > >>> a
> > >>> per-realm thing IMO.
> > >>>
> > >>> If it's ok that it's a global config, we can drop it from the realm and
> > >>> instead add:
> > >>>
> > >>> <security-constraint>
> > >>>       <web-resource-collection>
> > >>>           <web-resource-name>keycloak</web-resource-name>
> > >>>           <url-pattern>/*</url-pattern>
> > >>>       </web-resource-collection>
> > >>>       <user-data-constraint>
> > >>>           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >>>       </user-data-constraint>
> > >>> </security-constraint>
> > >>>
> > >>> To the web.xml in the distribution. In the documentation we should then
> > >>> have two options, first how to configure SSL on WildFly, second how to
> > >>> allow HTTP (with a warning that it's only for development!).
> > >>> _______________________________________________
> > >>> keycloak-dev mailing list
> > >>> keycloak-dev at lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>>
> > >>
> > >> --
> > >> Bill Burke
> > >> JBoss, a division of Red Hat
> > >> http://bill.burkecentral.com
> > >> _______________________________________________
> > >> keycloak-dev mailing list
> > >> keycloak-dev at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list