Open hyousuf opened 9 years ago
Disabling SSL behind the load balancer just removes the SSL Redirect filter. You should still use SSL outside the LB.
And you should definitely sign and validate your tokens, that's not related to SSL at all.
If you want to run without SSL entirely in development you need to set requireSsl="false" on your cookieHandler in identityServices.config. Unless the idsrv cookies will not be set, as secure cookies requireSsl.
Can I not validate the token against the Audience URI without SSL ?
Hi I am trying to get my head around running IdentityServer over HTTP and not on HTTPS
Simple reason being that STS server will be internal to our load balancer and the Network team doesnt want to expose STS to the outside world using SSL and Certs.
I followed a few examples posted by yourself https://github.com/IdentityServer/Thinktecture.IdentityServer2/wiki/Disable-SSL-for-load-balancing-and-proxy-server-scenarios https://github.com/IdentityServer/Thinktecture.IdentityServer2/issues/390
but none of them seem to work.
The simplest thing I want to achieve is to be able to run STS on HTTP, having WS-Trust url as being HTTP and be able to validate the tokens inside my code without using any Asymmetric or Symmetric Keys.