Comments (2)
brat000012001
commented on July 25, 2024
Alistair,
KC Administrators can configure whether to allow plain HTTP access to the realm and all of its resources (protocols, etc), shouldn't it be enough?
from keycloak-wsfed.
AlistairDoswald
commented on July 25, 2024
As far as I know, a KC administrator can only decide if the KC realm will allow http or https connection to it with the Realm Settings > Login > Require SSL value. However, it doesn't have any influence on whether the communication between user and client/WS-Resource/SP is secured or not. You should be able to force this however by specifying that a client's Valid Redirect URIs is of the form https://host:port/....
My question was basically whether we should enforce the use of the https in the Valid Redirect URIs. I also discussed the matter yesterday with a colleague who's more security-oriented than me. We've arrived at the conclusion that since KC doesn't require strict security for the other protocols (the signature of documents can even be removed for the SAML protocol), and doesn't even warn when using unsafe settings, we shouldn't either. I'll get around to adding it in the documentation however (including web-documentation).
However, I haven't completely abandoned the idea of making the interface a little more explicit and displaying a warning when unsafe settings are used.
from keycloak-wsfed.
Related Issues (20)
- List on keycloak.org extensions page HOT 2
- Migrate keycloak-wsfed module for compatibility with 4.0.0.Final HOT 1
- Broker-mode: when key does not match the signature, a "invalidFederatedIdentityActionMessage" is reported
- Can add an samlple for Exchange2013-OWA login ? HOT 13
- Add support for client-scope mappers to the module
- How to obtain jars? HOT 7
- Maven build on master does not work HOT 2
- Support on version 7.0.1 HOT 1
- login_hint issue HOT 1
- Migrate to Keycloak 8.0.1 HOT 5
- Single logout issue HOT 4
- Frontchannel logout problem HOT 3
- Backchannel logout problem HOT 2
- build jar - deps? HOT 11
- Migrate to Keycloak 11.x+ HOT 4
- how to import x509 to keycloak HOT 1
- support for ws-trust HOT 1
- Migrate to keycloak v15 (at least v13) HOT 1
- WS-fed 404 login timeout error on Exchange2016 OWA
- Keycloak 22+ Support Request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keycloak-wsfed.