4:08 a.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, 18 July, 2014 10:03:38 AM
Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
On 18.7.2014 10:25, Stian Thorgersen wrote:
> Last we didn't do it because of the potential headache for admins to deal
> with it, especially in a cloud environment.
>
> I wonder if it would make sense to always encrypt in the database with a
> master key for the server. The master key could then be specified in
> keycloak-server.json. If users need the additional security they could
> make sure keycloak-server.json (as well as standalone.xml which has the
> ssl certificate keys) are stored on an encrypted drive. If not stored in
> keycloak-server.json the user would have to specify it when starting the
> server, which would have to be done by a prompt I think. Specifying it as
> an environment variable or system properties is not very safe as that can
> just as easily be read by an intruder as a file. This would make life a
> bit harder in a cluster though.
Not sure about prompt, but master key in keycloak-server.json should
work well and won't be a pain in cluster as long as all cluster nodes
have same value in keycloak-server.json? Only thing is that if we add
some default value into keycloak-server.json, then probably 99% of
people won't change it:-)
We'd have to generate it on the first startup. I guess in a cluster people would have
to sync keycloak-server.json between all nodes in either case.
But it's better than nothing IMO as people at least have possibility to
change the master key if they want better security .
Maybe best is to have SPI with encrypt/decrypt methods, which adds best
flexibility for people (default implementation will just encrypt/decrypt
with master key from keycloak-server.json)?
Yep, we may even want to support hardware security modules, which would require some form
of an SPI for encryption/decryption. IMO that's not for this round though.
Marek
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak
dev"
>> <keycloak-dev(a)lists.jboss.org>
>> Sent: Thursday, 17 July, 2014 6:42:13 PM
>> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>>
>> One thing, which we discussed before was encoding of privateKey before
>> saving to DB? As currently if someone "steal" database record with
>> privateKey, he is able to create encoded accessTokens and send requests
>> to bearer-only applications.
>>
>> Or is this still planned for August?
>>
>> Marek
>>
>> On 17.7.2014 14:55, Stian Thorgersen wrote:
>>> As we didn't have enough things to do last minute I come up with more
>>> things which I think we should do for 1.0.final:
>>>
>>> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>>>
>>> This would be super simple to do, and would let us have a single
>>> persistence.xml for everything (testsuite, server, project-integrations).
>>> Everything worthy of configuring in persistence.xml (including
>>> datasource)
>>> can be passed in the Map overrides when creating the
>>> EntityManagerFactory.
>>>
>>>
>>> 2. Introduce server-dependencies-min and server-dependencies-all poms
>>>
>>> We have a few places that includes all the dependencies required (server,
>>> testsuite/integration and testsuite/) as well as other project such as
>>> AeroGear and LiveOak. Instead of everyone having to list all the
>>> dependencies they could have a single dependency on either
>>> server-dependencies-min or server-dependencies-all. Min would exclude
>>> most
>>> if not all provider implementations (such as PicketLink/LDAP, social
>>> providers, etc).
>>>
>>>
>>> 3. TOTP SPI
>>>
>>> At the moment we only support Google Authenticator, I don't think
that's
>>> sufficient. We should at the very least add support for one more, and
>>> have
>>> an SPI so users can add their own. I think this would be related to the
>>> UserProvider sync work, as some UserProvider implementations may require
>>> both a password and totp to verify a users credentials, while others
>>> would
>>> only be able to verify the password and then have Keycloak verify the
>>> totp.
>>>
>>> Also, do we need to support users with more than one totp? Personally I
>>> have two for work (one I use daily and another for backup).
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>