passé les dernières semaines sur #Keycloak et #Tyk API Gateway, dans le but de sécuriser des points de terminaison d’API déployés sur le web
C’est une courbe d’apprentissage à la fois stimulante et fascinante, du déploiement (Kubernetes/Helm/Openshift) aux configurations et aux ajustements. #WIP
"Keycloak is an open source identity provider (IdP) with single-sign on (SSO) capabilities. It supports the most widely used enterprise authentication protocols, namely OpenID Connect (OIDC), OAuth 2.0, and SAML. With Keycloak, users sign in once and share the same identity across multiple applications and platforms in a transparent manner."
Wer mag, kann bei den Chemnitzer Linuxtagen was über Single Sign-on für Webanwendungen von mir hören. Ist aber für die, die sonntags morgens nicht verschlafen. 😉
CVEs reported without version, and/or never updated to limit their CPEs to exclude versions where the vulnerability is fixed;
and now I get false positives every single time I update that dependency 😭
(in this case, specifically, Keycloak's CVE-2022-1438 and CVE-2023-0105, both still reported on version 22.0.4 by Dependency Track; the GitHub Advisories have the accurate information, but not the NVD 😡)
The last one is a payed service and has nothing to do with the open source captcha solution by the european union (despite the name nearly similar name)
If not secured properly, one-time passwords are a lot more likely to be guessed than you think!
Ever since I've learned that #Keycloak's default configuration does not prevent #OTP brute-forcing, I wanted to discuss the topic in detail and raise awareness.
There is a sea of Cloud Auth / Identity management providers.
There was a time I used to roll my own, but as security is getting complicated, it seems for startups & small to medium businesses it is better to use a cloud auth provider.
Please share your thoughts on your experience with this as I look into this area.
I could probably make a little shim between #IndieAuth clients and #Keycloak to handle client lookup and registration. Not completely sure how IndieAuth clients would handle the redirect though (as it would be undoubtedly cross-subdomain)...
I've started reading a bit about #IndieAuth -- for some reason, I started with the spec on W3.org, which makes more sense to me than a lot of stuff I've read but it also doesn't "feel" complete.
I'm wondering if I can configure #Keycloak to function sufficiently as an IndieAuth provider.