[keycloak-user] Mixing https/http schemes with sslRequired == all
Orestis Tsakiridis
orestis.tsakiridis at telestax.com
Wed Jun 10 11:09:31 EDT 2015
Yep, it appears so.
So, we're either talking about a feature, or some sort behaviour that is
desired. Right?
Anyway, thanks for clarifying this.
On Wed, Jun 10, 2015 at 2:13 PM, Stian Thorgersen <stian at redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 10 June, 2015 12:57:28 PM
> > Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired
> == all
> >
> > Indeed. I've already switched my application to https.
> >
> > The reason i'm asking this is because before switching i got blank (no
> > content) responses from the application's endpoints. HTTP status code was
> > 200 but there was no content returned. At the same time the following
> > warning appeared in the logs.
> >
> > 12:21:55,085 WARN [org.keycloak.adapters.RequestAuthenticator]
> > (http-/192.168.1.39:8080-4) SSL is required to authenticate
>
> In that case I'm probably mistaken and the Keycloak adapter actually
> checks that the request uses SSL when there's a token in it. That would
> make sense to me that it does, but I wasn't aware that it did ;)
>
> >
> >
> > On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 10 June, 2015 8:57:01 AM
> > > > Subject: [keycloak-user] Mixing https/http schemes with sslRequired
> ==
> > > all
> > > >
> > > > Hello,
> > > >
> > > > Can keycloak operate on HTTPS while the REST application it protects
> > > runs on
> > > > HTTP?
> > > >
> > > > I've also set "Require SSL" to "all requests"
> > >
> > > Keycloak only deals with request made to the Keycloak Server and
> doesn't
> > > put any restriction on the request to your rest endpoints. However, as
> you
> > > are passing the token in requests to your rest endpoints it wouldn't
> be the
> > > best idea to not use ssl. Although the risk can be mitigated slightly
> by
> > > having short lifespan on access tokens.
> > >
> > > >
> > > >
> > > > Regards
> > > >
> > > > Orestis
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150610/cec0203a/attachment-0001.html
More information about the keycloak-user
mailing list