Comment by ecshafer
11 hours ago
Keycloak is a great authentication suite, not that hard to configure and rock solid.
Ill never understand this thinking.
11 hours ago
Keycloak is a great authentication suite, not that hard to configure and rock solid.
Ill never understand this thinking.
Auth providers are among the hardest systems to secure. It's not just a question of the underlying code having vulnerabilities - for companies with Internet logins, auth systems (a) are exposed to the internet, (b) are not cache-friendly static content, (c) come under heavy expected load, both malicious (the DDoS kind) and non-malicious (the viral product launch kind), (d) if they ever go down, the rest of the system is offline (failsafe closed).
It's hardly surprising that the market prefers to offload that responsibility to players it thinks it can trust, who operate at a scale where concerns about high traffic go away.
Keycloak has various vulnerabilities they haven't even responded to after a month of reporting them.
Are these documented anywhere? A full month with no response at all puts you firmly in “responsible disclosure” territory if they are not already publicly known. I'm pretty sure DayJob uses keycloak (or at least is assessing it - I'm a bit removed from that side of things these days) so that information could be pertinent to us.
Disclose publicly then, if you haven't already?
Definitely makes things safer than users not knowing about them.