----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 8 November, 2013 4:27:51 PM
Subject: Re: [keycloak-dev] bundle an SMTP server?
On 11/8/2013 5:42 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 5 November, 2013 4:21:54 PM
>> Subject: Re: [keycloak-dev] bundle an SMTP server?
>>
>> I disagree. Users aren't going to download Keycloak and immediately use
>> it in production. Autogenerated self-signed SSL certs, an SMTP server,
>> and a preconfigured DB all make sense as then the user can immediately
>> use keycloak in development and configure certs, db, etc. later when
>> they want to run it in production.
>
> Why would a developer need SSL? There's a good reason why I wouldn't want
> to have a self-signed cert while doing dev/test and that's the fact that
> the browser will keep bugging you telling you that the certificate is not
> valid. I think Firefox let's you accept the certificate permanently, but
> Chrome will just keep bugging you over and over again.
>
This is from JBoss experiences. You want to lock down your server as
much as possible OOTB, well, because many users are stupid. For
example, The Server Side deployed on JBoss years ago and they forgot to
secure the JBoss admin console. So.... random people kept shutting down
theserverside.com :) (No, I swear I'm not guilty of this!!!). JBoss
got the perception (from stupid analysts) that we were insecure.
I remember that shit - it was even possible to Google for unsecured JBoss consoles :)
With that in mind enabling SSL by default makes sense - I didn't consider the fact
that idiots will deploy it as is, thinking that it should just work for production
straight away.
Keycloak will require SSL for all communications by default for the very
reason that transmitting codes and credentials in the clear is bad. YOu
have to explicitly turn it off.
> With regards to SMTP server, I think it's going to be rare that a developer
> needs this. If when it's needed during development, I would at least
> personally prefer to just have it print the email to the log, or just have
> it use my gmail account for sending mails. Emails sent from a email server
> that is not properly associated with a domain will with a high likely hood
> end up in spam.
>
> The simplest solution for a developer to use Keycloak would in my opinion
> be a fully hosted solution. That way you can have proper SSL cert, email
> server and db, all without having to worry about anything other than using
> it. The second best would be a proper OpenShift cartridge. This would let
> you use the shared OpenShift SSL cert, a proper db (automatically
> configured and setup), but AFAIK there's no email server cartridge for
> OpenShift. There may be a good reason for that, a shared email server that
> lets anyone send emails could be used to send spam, and would result in it
> being quickly blacklisted by spam filters.
>
Agreed, but Keycloak will be deployed on local machines too. I can't
see myself running a auth solution on the public cloud to secure
Intranet apps.
True - but if people want to deploy (and manage) it internally wouldn't you then
assume some level of understanding of how to set-up the required environment (db + smtp)?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com