[keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem

Stan Silvert ssilvert at redhat.com
Mon Nov 3 08:40:08 EST 2014 

Great.  I'll go ahead and remove it from web.xml and remove that section 
from the doco.

On 11/3/2014 8:35 AM, Stian Thorgersen wrote:
> Yep
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 3 November, 2014 2:29:41 PM
>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
>>
>> So it is decided then?  We are dropping the confidential setting in web.xml?
>>
>> On 11/3/2014 8:20 AM, Bill Burke wrote:
>>> #3 is a great point.
>>>
>>> On 11/3/2014 5:28 AM, Stian Thorgersen wrote:
>>>> Actually, thinking about it we should just drop the confidential setting
>>>> in web.xml.
>>>>
>>>> #1 We have ssl-required on realm - there may be traffic where we don't
>>>> check, but we should improve instead of relying on setting in web.xml
>>>> #2 Users shouldn't access Keycloak directly - users click on links in
>>>> applications they don't navigate to a page on KC itself, so there's not
>>>> really a need to do the redirect from http
>>>> #3 Could be risky - if an application uses a custom adapter/lib (or have
>>>> the wrong ssl-required in keycloak.json) and a http library that
>>>> automatically follows the redirect. This would mean that an application
>>>> posts code and client secret to http://.., which returns a 302, the http
>>>> library then re-posts to https://... Keycloak would think all requests
>>>> are done using ssl (as it doesn't see the initial http request, only the
>>>> app server does) and the developer could also be unaware of this, the end
>>>> result being that an application would post codes and secrets in
>>>> clear-text as well as post every request twice.
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Stian Thorgersen" <stian at redhat.com>
>>>>> To: "Stan Silvert" <ssilvert at redhat.com>
>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>> Sent: Monday, 3 November, 2014 9:19:15 AM
>>>>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into
>>>>> KC subsystem
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>> Sent: Friday, 31 October, 2014 7:42:34 PM
>>>>>> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into
>>>>>> KC
>>>>>> subsystem
>>>>>>
>>>>>> On 10/31/2014 4:15 AM, Stian Thorgersen wrote:
>>>>>>> Looks good to me. We should include this in Beta1.
>>>>>>>
>>>>>>> A few comments/questions:
>>>>>>>
>>>>>>> * Can we support enabling confidential transport-guarantee
>>>>>>> (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems
>>>>>>> to
>>>>>>> be the last requirement for an exploded WAR
>>>>>> Looking this over, it seems pretty important!  I think I'd like to go
>>>>>> ahead and implement this option before we merge.  I should be able to do
>>>>>> that and also finish the doc updates by the middle of next week.  Just
>>>>>> go ahead and release the Beta if you want.  I can catch the next release
>>>>>> train.
>>>>>>
>>>>>> I plan to implement this as a boolean value on on the server called
>>>>>> "https-required".   Is there a better name for it?
>>>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
>>>>>>                 <auth-server name="foo">
>>>>>>                     <enabled>true</enabled>
>>>>>>                     <web-context>auth</web-context>
>>>>>>                     <https-required>true</https-required>
>>>>>>                 </auth-server>
>>>>>> </subsystem>
>>>>>>
>>>>>> Should the default be false?  I realize that the default in the
>>>>>> appliance dist is false, but should the default always be false?
>>>>> We already have the option 'ssl-required' on a realm, so that may be
>>>>> confusing. What about 'redirect-non-ssl'?
>>>>>
>>>>> It shouldn't be on by default, as that would require setting up ssl for
>>>>> development as well. We have the 'ssl-required' set to 'external' to give
>>>>> us
>>>>> a compromise between usability and security.
>>>>>
>>>>>> If true, this will be automatically added to auth-server.war at deploy
>>>>>> time:
>>>>>>
>>>>>> <security-constraint>
>>>>>>        <web-resource-collection>
>>>>>>           <url-pattern>/*</url-pattern>
>>>>>>        </web-resource-collection>
>>>>>>        <user-data-constraint>
>>>>>>           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>>>>        </user-data-constraint>
>>>>>> </security-constraint>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

More information about the keycloak-dev mailing list