Keycloak ssl-required
equivalent
#81
-
We're experimenting with migrating an application away from the deprecated Keycloak adapters. Currently we use the Depending on environment we set it to either |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Radio cutIn environments where you want SSL only, enable https and disable http on both Keycloak and Spring servers. Director's cutFirst, you should enable Then you should serve clients and resource-servers with SSL too. With spring-boot, this happens if either If you followed the first tutorial, you might have noticed the following configuration: // If SSL enabled, disable http (https only)
if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
http.requiresChannel().anyRequest().requiresSecure();
} else {
http.requiresChannel().anyRequest().requiresInsecure();
} This forces all traffic to be served with https if SSL is enabled (SSL properties set and SSL not disabled). This code block is also included in my starters. Last, if your clients are not Spring (I almost only write Angular clients), it should be served over https too. Most frameworks support self-signed certificates, at least in dev. P.S.My tutorials do not cover (yet?) OAuth2 client configuration. If you serve UI elements with Spring (I understand from your question you do), have a look at this answer on Stackoverflow which contains a sample of an additional "client" filter-chain. |
Beta Was this translation helpful? Give feedback.
-
@Bragolgirith do not hesitate to comment if I didn't answer your question (or to accept my answer) |
Beta Was this translation helpful? Give feedback.
Radio cut
In environments where you want SSL only, enable https and disable http on both Keycloak and Spring servers.
Director's cut
First, you should enable
https
and disablehttp
on Keycloak servers on environments you want SSL only to be used. I personally do that on all environments, using self-signed certificates on development ones like my dev machine. Refer to Keycloak documentation for configuration details.Then you should serve clients and resource-servers with SSL too. With spring-boot, this happens if either
server.ssl.enabled
is set totrue
or if it is not set andserver.ssl.key-password
,server.ssl.key-store
andserver.ssl.key-store-password
are set. I personally setSERVER_…