[keycloak-dev] bundle an SMTP server?
Stian Thorgersen
stian at redhat.com
Fri Nov 8 11:40:45 EST 2013
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 8 November, 2013 4:27:51 PM
> Subject: Re: [keycloak-dev] bundle an SMTP server?
>
>
>
> On 11/8/2013 5:42 AM, Stian Thorgersen wrote:
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 5 November, 2013 4:21:54 PM
> >> Subject: Re: [keycloak-dev] bundle an SMTP server?
> >>
> >> I disagree. Users aren't going to download Keycloak and immediately use
> >> it in production. Autogenerated self-signed SSL certs, an SMTP server,
> >> and a preconfigured DB all make sense as then the user can immediately
> >> use keycloak in development and configure certs, db, etc. later when
> >> they want to run it in production.
> >
> > Why would a developer need SSL? There's a good reason why I wouldn't want
> > to have a self-signed cert while doing dev/test and that's the fact that
> > the browser will keep bugging you telling you that the certificate is not
> > valid. I think Firefox let's you accept the certificate permanently, but
> > Chrome will just keep bugging you over and over again.
> >
>
> This is from JBoss experiences. You want to lock down your server as
> much as possible OOTB, well, because many users are stupid. For
> example, The Server Side deployed on JBoss years ago and they forgot to
> secure the JBoss admin console. So.... random people kept shutting down
> theserverside.com :) (No, I swear I'm not guilty of this!!!). JBoss
> got the perception (from stupid analysts) that we were insecure.
I remember that shit - it was even possible to Google for unsecured JBoss consoles :)
With that in mind enabling SSL by default makes sense - I didn't consider the fact that idiots will deploy it as is, thinking that it should just work for production straight away.
>
> Keycloak will require SSL for all communications by default for the very
> reason that transmitting codes and credentials in the clear is bad. YOu
> have to explicitly turn it off.
>
> > With regards to SMTP server, I think it's going to be rare that a developer
> > needs this. If when it's needed during development, I would at least
> > personally prefer to just have it print the email to the log, or just have
> > it use my gmail account for sending mails. Emails sent from a email server
> > that is not properly associated with a domain will with a high likely hood
> > end up in spam.
> >
> > The simplest solution for a developer to use Keycloak would in my opinion
> > be a fully hosted solution. That way you can have proper SSL cert, email
> > server and db, all without having to worry about anything other than using
> > it. The second best would be a proper OpenShift cartridge. This would let
> > you use the shared OpenShift SSL cert, a proper db (automatically
> > configured and setup), but AFAIK there's no email server cartridge for
> > OpenShift. There may be a good reason for that, a shared email server that
> > lets anyone send emails could be used to send spam, and would result in it
> > being quickly blacklisted by spam filters.
> >
>
> Agreed, but Keycloak will be deployed on local machines too. I can't
> see myself running a auth solution on the public cloud to secure
> Intranet apps.
True - but if people want to deploy (and manage) it internally wouldn't you then assume some level of understanding of how to set-up the required environment (db + smtp)?
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list