[keycloak-dev] bundle an SMTP server?

Bill Burke bburke at redhat.com
Fri Nov 8 11:27:51 EST 2013



On 11/8/2013 5:42 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 5 November, 2013 4:21:54 PM
>> Subject: Re: [keycloak-dev] bundle an SMTP server?
>>
>> I disagree.  Users aren't going to download Keycloak and immediately use
>> it in production.  Autogenerated self-signed SSL certs, an SMTP server,
>> and a preconfigured DB all make sense as then the user can immediately
>> use keycloak in development and configure certs, db, etc. later when
>> they want to run it in production.
>
> Why would a developer need SSL? There's a good reason why I wouldn't want to have a self-signed cert while doing dev/test and that's the fact that the browser will keep bugging you telling you that the certificate is not valid. I think Firefox let's you accept the certificate permanently, but Chrome will just keep bugging you over and over again.
>

This is from JBoss experiences.  You want to lock down your server as 
much as possible OOTB, well, because many users are stupid.  For 
example, The Server Side deployed on JBoss years ago and they forgot to 
secure the JBoss admin console. So.... random people kept shutting down 
theserverside.com :)  (No, I swear I'm not guilty of this!!!).  JBoss 
got the perception (from stupid analysts) that we were insecure.

Keycloak will require SSL for all communications by default for the very 
reason that transmitting codes and credentials in the clear is bad.  YOu 
have to explicitly turn it off.

> With regards to SMTP server, I think it's going to be rare that a developer needs this. If when it's needed during development, I would at least personally prefer to just have it print the email to the log, or just have it use my gmail account for sending mails. Emails sent from a email server that is not properly associated with a domain will with a high likely hood end up in spam.
>
> The simplest solution for a developer to use Keycloak would in my opinion be a fully hosted solution. That way you can have proper SSL cert, email server and db, all without having to worry about anything other than using it. The second best would be a proper OpenShift cartridge. This would let you use the shared OpenShift SSL cert, a proper db (automatically configured and setup), but AFAIK there's no email server cartridge for OpenShift. There may be a good reason for that, a shared email server that lets anyone send emails could be used to send spam, and would result in it being quickly blacklisted by spam filters.
>

Agreed, but Keycloak will be deployed on local machines too.  I can't 
see myself running a auth solution on the public cloud to secure 
Intranet apps.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list