You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
We've agreed with Pedro that it is worth investing more time into testing and documenting that the code grants/introspection requests can go via HTTPS, and also possibly support a custom trust/key stores for the 2-way TLS. This follows a user query how to get Keycloak CA verified.
We have also discussed the security of the various client authentication methods with @emmanuelbernard at the forum. The proposal is to warn the users that a client secret may be leaked if auth-server-url is insecure HTTP one and either client_secret_basic or client_secret_post is used.
Or we can go even further and introduce the auto method selection, example, if it is HTTP and OIDC supports client_server_basic, client_server_post and client_server_jwt then we auto select client_server_jwt but I suspect that may have some unexpected side-effects, so we probably should keep to _basic as a default and then let users to choose based on their requirements
I'm going to close this one because we have a test confirming the HTTPS connection works now, we can reopen more specific TLS related issues going forward
Description
We've agreed with Pedro that it is worth investing more time into testing and documenting that the code grants/introspection requests can go via HTTPS, and also possibly support a custom trust/key stores for the 2-way TLS. This follows a user query how to get Keycloak CA verified.
CC @pedroigor
The text was updated successfully, but these errors were encountered: