IdentityServer2 icon indicating copy to clipboard operation
IdentityServer2 copied to clipboard
verified publisher icon IdentityServer

Running IdentityServer on HTTP instead of HTTPS

Open hyousuf opened this issue 11 years ago • 2 comments

Hi I am trying to get my head around running IdentityServer over HTTP and not on HTTPS

Simple reason being that STS server will be internal to our load balancer and the Network team doesnt want to expose STS to the outside world using SSL and Certs.

I followed a few examples posted by yourself https://github.com/IdentityServer/Thinktecture.IdentityServer2/wiki/Disable-SSL-for-load-balancing-and-proxy-server-scenarios https://github.com/IdentityServer/Thinktecture.IdentityServer2/issues/390

but none of them seem to work.

The simplest thing I want to achieve is to be able to run STS on HTTP, having WS-Trust url as being HTTP and be able to validate the tokens inside my code without using any Asymmetric or Symmetric Keys.

hyousuf avatar Feb 12 '15 14:02 hyousuf

Disabling SSL behind the load balancer just removes the SSL Redirect filter. You should still use SSL outside the LB.

And you should definitely sign and validate your tokens, that's not related to SSL at all.

If you want to run without SSL entirely in development you need to set requireSsl="false" on your cookieHandler in identityServices.config. Unless the idsrv cookies will not be set, as secure cookies requireSsl.

hansarnevartdal avatar Feb 12 '15 14:02 hansarnevartdal

Can I not validate the token against the Audience URI without SSL ?

hyousuf avatar Feb 17 '15 12:02 hyousuf