Closed odiab closed 2 weeks ago
Can you give us some insight on why you want to disable https? I'm asking because disabling it would render IdentityServer and any other identity provider insecure since all http traffic can be monitored and intercepted.
We implement the IdentityServer locally on LAN, we don't have SSL and for some reason, we can not generate self-signed certificate
The OpenID Protocol is designed with https and the https server authentication through certificates as the "trust anchor" for the entire system. It is clearly spelled out in the OIDC specification that https must be used for at least the discovery endpoint.
It might be technically possible to get IdentityServer running in a non-https-environment, but doing so would require in depth understanding of the consequences. It would also put very strict requirements on the security of the network to prevent sniffing of the clear-text traffic.
Could you share any more information on why it would not be feasible for you to enable https on your local LAN? Maybe we can help finding solutions (or convincing arguments) to get it implemented.
@odiab Did Anders' comment clear things up for you? If so I'd like to close.
Closing this, but feel free to reopen.
Which version of Duende IdentityServer are you using? 7.0.4
Which version of .NET are you using? 8.0.6
How to disable HTTPS, and work only with HTTP for all projects IdentityServer, Api, WebClient