Keycloak ssl-required equivalent

[Bragolgirith]

We're experimenting with migrating an application away from the deprecated Keycloak adapters.

Currently we use the keycloak.ssl-required property (Documentation) to force HTTPS to be used everywhere, most notably in the login page redirects and to set any Cookies to be Secure.

Depending on environment we set it to either none or all. Is there something we can implement to this purpose using either the vanilla Spring Security configuration or the starters?

[ch4mpy]

Radio cut

In environments where you want SSL only, enable https and disable http on both Keycloak and Spring servers.

Director's cut

First, you should enable https and disable http on Keycloak servers on environments you want SSL only to be used. I personally do that on all environments, using self-signed certificates on development ones like my dev machine. Refer to Keycloak documentation for configuration details.

Then you should serve clients and resource-servers with SSL too. With spring-boot, this happens if either server.ssl.enabled is set to true or if it is not set and server.ssl.key-password, server.ssl.key-store and server.ssl.key-store-password are set. I personally set SERVER_SSL_KEY_PASSWORD, SERVER_SSL_KEY_STORE and SERVER_SSL_KEY_STORE_PASSWORD environment variables on all environments (including my dev machines => SSL is enabled by default for all spring-boot apps (unless I explicitely set server.ssl.enabled=false)

If you followed the first tutorial, you might have noticed the following configuration:

        // If SSL enabled, disable http (https only)
        if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
            http.requiresChannel().anyRequest().requiresSecure();
        } else {
            http.requiresChannel().anyRequest().requiresInsecure();
        }

This forces all traffic to be served with https if SSL is enabled (SSL properties set and SSL not disabled). This code block is also included in my starters.

Last, if your clients are not Spring (I almost only write Angular clients), it should be served over https too. Most frameworks support self-signed certificates, at least in dev.

P.S.

My tutorials do not cover (yet?) OAuth2 client configuration. If you serve UI elements with Spring (I understand from your question you do), have a look at this answer on Stackoverflow which contains a sample of an additional "client" filter-chain.

[ch4mpy]

@Bragolgirith do not hesitate to comment if I didn't answer your question (or to accept my answer)