parent
2be5bf1000
commit
098c06ca2d
3 changed files with 5 additions and 11 deletions
|
@ -37,13 +37,6 @@ in the more strict way to enforce some of the requirements. Especially:
|
||||||
==== TLS considerations
|
==== TLS considerations
|
||||||
|
|
||||||
As confidential information is being exchanged, all interactions shall be encrypted with TLS (HTTPS). Moreover, there are some requirements in the FAPI specification for
|
As confidential information is being exchanged, all interactions shall be encrypted with TLS (HTTPS). Moreover, there are some requirements in the FAPI specification for
|
||||||
the cipher suites and TLS protocol versions used. To match these requirements, you can consider configure allowed ciphers. This configuration can be done in the
|
the cipher suites and TLS protocol versions used. To match these requirements, you can consider configure allowed ciphers. This configuration can be done by setting
|
||||||
`KEYCLOAK_HOME/standalone/configuration/standalone-*.xml` file in the Elytron subsystem. For example this element can be added under `tls` -> `server-ssl-contexts`
|
the `https-protocols` and `https-cipher-suites` options. {project_name} uses `TLSv1.3` by default and hence it is posibly not needed to change the default settings. However it
|
||||||
|
may be needed to adjust ciphers if you need to fallback to lower TLS version for some reason. For more details, see https://www.keycloak.org/server/enabletls[Configuring TLS] guide.
|
||||||
[source,xml]
|
|
||||||
<server-ssl-context name="kcSSLContext" want-client-auth="true" protocols="TLSv1.2" \
|
|
||||||
key-manager="kcKeyManager" trust-manager="kcTrustManager" \
|
|
||||||
cipher-suite-filter="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" protocols="TLSv1.2" />
|
|
||||||
|
|
||||||
As confidential information is being exchanged, all interactions shall be encrypted with TLS (HTTPS). Moreover, there are some requirements in the FAPI specification for
|
|
||||||
the cipher suites and TLS protocol versions used. To match these requirements, you can consider configuring allowed ciphers. This configuration can be done by setting the `https-protocols` and `https-cipher-suites` options. For more details, see https://www.keycloak.org/server/enabletls[Configuring TLS] guide.
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
|
||||||
[id="webauthn_{context}"]
|
[id="webauthn_{context}"]
|
||||||
=== W3C Web Authentication (WebAuthn)
|
=== W3C Web Authentication (WebAuthn)
|
||||||
|
|
||||||
|
|
|
@ -34,4 +34,4 @@ image:{project_images}/identity-provider-mapper.png[identity provider mapper]
|
||||||
|
|
||||||
For JSON-based claims, you can use dot notation for nesting and square brackets to access array fields by index. For example, `contact.address[0].country`.
|
For JSON-based claims, you can use dot notation for nesting and square brackets to access array fields by index. For example, `contact.address[0].country`.
|
||||||
|
|
||||||
To investigate the structure of user profile JSON data provided by social providers, you can enable the `DEBUG` level logger `org.keycloak.social.user_profile_dump` in the server's app-server configuration file (domain.xml or standalone.xml).
|
To investigate the structure of user profile JSON data provided by social providers, you can enable the `DEBUG` level logger `org.keycloak.social.user_profile_dump` when starting the server.
|
||||||
|
|
Loading…
Reference in a new issue