7:55 a.m.
As we didn't have enough things to do last minute I come up with more things which I
think we should do for 1.0.final:
1. Configure JPA through keycloak-server.json instead of persistence.xml
This would be super simple to do, and would let us have a single persistence.xml for
everything (testsuite, server, project-integrations). Everything worthy of configuring in
persistence.xml (including datasource) can be passed in the Map overrides when creating
the EntityManagerFactory.
2. Introduce server-dependencies-min and server-dependencies-all poms
We have a few places that includes all the dependencies required (server,
testsuite/integration and testsuite/) as well as other project such as AeroGear and
LiveOak. Instead of everyone having to list all the dependencies they could have a single
dependency on either server-dependencies-min or server-dependencies-all. Min would exclude
most if not all provider implementations (such as PicketLink/LDAP, social providers,
etc).
3. TOTP SPI
At the moment we only support Google Authenticator, I don't think that's
sufficient. We should at the very least add support for one more, and have an SPI so users
can add their own. I think this would be related to the UserProvider sync work, as some
UserProvider implementations may require both a password and totp to verify a users
credentials, while others would only be able to verify the password and then have Keycloak
verify the totp.
Also, do we need to support users with more than one totp? Personally I have two for work
(one I use daily and another for backup).
8:14 a.m.
On 7/17/2014 8:55 AM, Stian Thorgersen wrote:
As we didn't have enough things to do last minute I come up with
more things which I think we should do for 1.0.final:
1. Configure JPA through keycloak-server.json instead of persistence.xml
This would be super simple to do, and would let us have a single persistence.xml for
everything (testsuite, server, project-integrations). Everything worthy of configuring in
persistence.xml (including datasource) can be passed in the Map overrides when creating
the EntityManagerFactory.
-1. I don't think learning a new configuration format for
persistence.xml is user friendly. Users would have to translate the
Hibernate documentation to our json format.
2. Introduce server-dependencies-min and server-dependencies-all poms
We have a few places that includes all the dependencies required (server,
testsuite/integration and testsuite/) as well as other project such as AeroGear and
LiveOak. Instead of everyone having to list all the dependencies they could have a single
dependency on either server-dependencies-min or server-dependencies-all. Min would exclude
most if not all provider implementations (such as PicketLink/LDAP, social providers,
etc).
+1
3. TOTP SPI
At the moment we only support Google Authenticator, I don't think that's
sufficient. We should at the very least add support for one more, and have an SPI so users
can add their own. I think this would be related to the UserProvider sync work, as some
UserProvider implementations may require both a password and totp to verify a users
credentials, while others would only be able to verify the password and then have Keycloak
verify the totp.
+1. Do we have cycles to include in 1.0?
Also, do we need to support users with more than one totp? Personally
I have two for work (one I use daily and another for backup).
+1. Do we have cycles to include in 1.0?
\
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:20 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 17 July, 2014 2:14:21 PM
Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
On 7/17/2014 8:55 AM, Stian Thorgersen wrote:
> As we didn't have enough things to do last minute I come up with more
> things which I think we should do for 1.0.final:
>
> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>
> This would be super simple to do, and would let us have a single
> persistence.xml for everything (testsuite, server, project-integrations).
> Everything worthy of configuring in persistence.xml (including datasource)
> can be passed in the Map overrides when creating the EntityManagerFactory.
>
-1. I don't think learning a new configuration format for
persistence.xml is user friendly. Users would have to translate the
Hibernate documentation to our json format.
It would support both, configuration can either be done through persistence.xml or
keycloak-server.json. We could use the same property names, so it would just be a matter
of putting it in keycloak-server instead of properties in persistence.xml.
Also, why do our users need to understand Hibernate/JPA just to be able to configure what
data-source to use for Keycloak?
>
> 2. Introduce server-dependencies-min and server-dependencies-all poms
>
> We have a few places that includes all the dependencies required (server,
> testsuite/integration and testsuite/) as well as other project such as
> AeroGear and LiveOak. Instead of everyone having to list all the
> dependencies they could have a single dependency on either
> server-dependencies-min or server-dependencies-all. Min would exclude most
> if not all provider implementations (such as PicketLink/LDAP, social
> providers, etc).
>
+1
>
> 3. TOTP SPI
>
> At the moment we only support Google Authenticator, I don't think that's
> sufficient. We should at the very least add support for one more, and have
> an SPI so users can add their own. I think this would be related to the
> UserProvider sync work, as some UserProvider implementations may require
> both a password and totp to verify a users credentials, while others would
> only be able to verify the password and then have Keycloak verify the
> totp.
>
+1. Do we have cycles to include in 1.0?
> Also, do we need to support users with more than one totp? Personally I
> have two for work (one I use daily and another for backup).
+1. Do we have cycles to include in 1.0?
\
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:30 a.m.
On 7/17/2014 9:20 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 17 July, 2014 2:14:21 PM
> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>
>
>
> On 7/17/2014 8:55 AM, Stian Thorgersen wrote:
>> As we didn't have enough things to do last minute I come up with more
>> things which I think we should do for 1.0.final:
>>
>> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>>
>> This would be super simple to do, and would let us have a single
>> persistence.xml for everything (testsuite, server, project-integrations).
>> Everything worthy of configuring in persistence.xml (including datasource)
>> can be passed in the Map overrides when creating the EntityManagerFactory.
>>
>
> -1. I don't think learning a new configuration format for
> persistence.xml is user friendly. Users would have to translate the
> Hibernate documentation to our json format.
It would support both, configuration can either be done through persistence.xml or
keycloak-server.json. We could use the same property names, so it would just be a matter
of putting it in keycloak-server instead of properties in persistence.xml.
Also, why do our users need to understand Hibernate/JPA just to be able to configure what
data-source to use for Keycloak?
Actually, you're right. We wouldn't even need a persistence.xml file.
We wouldn't need even any JPA specific settings in keycloak-server.json
by default too, right?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:33 a.m.
We would need peristence.xml just to list the entity-classes. Everything else would be
configured through keycloak-server.json, and we could support both Hibernate property
names and simpler Keycloak names.
The nice thing about having a persistence.xml with just the entity-classes is that if
someone is a Hibernate wizard they can just not specify anything in keycloak-server.json,
and just configure it all through the persistence.xml
BTW if we did this, do we even have to explode the auth-server.war in the dist? Templates
are extracted to standalone/configuration/templates and configuration is done through
standalone/configuration/keycloak-server.json.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 17 July, 2014 2:30:18 PM
Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
On 7/17/2014 9:20 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 17 July, 2014 2:14:21 PM
>> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>>
>>
>>
>> On 7/17/2014 8:55 AM, Stian Thorgersen wrote:
>>> As we didn't have enough things to do last minute I come up with more
>>> things which I think we should do for 1.0.final:
>>>
>>> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>>>
>>> This would be super simple to do, and would let us have a single
>>> persistence.xml for everything (testsuite, server, project-integrations).
>>> Everything worthy of configuring in persistence.xml (including
>>> datasource)
>>> can be passed in the Map overrides when creating the
>>> EntityManagerFactory.
>>>
>>
>> -1. I don't think learning a new configuration format for
>> persistence.xml is user friendly. Users would have to translate the
>> Hibernate documentation to our json format.
>
> It would support both, configuration can either be done through
> persistence.xml or keycloak-server.json. We could use the same property
> names, so it would just be a matter of putting it in keycloak-server
> instead of properties in persistence.xml.
>
> Also, why do our users need to understand Hibernate/JPA just to be able to
> configure what data-source to use for Keycloak?
>
Actually, you're right. We wouldn't even need a persistence.xml file.
We wouldn't need even any JPA specific settings in keycloak-server.json
by default too, right?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:48 a.m.
+1 as long as it's still possible to override hibernate properties also
with system properties as it's now. Overriding through system properties
is useful especially for running tests with various databases in CI, so
it's possible to configure MS-SQL etc in Jenkins just by setup few
system properties instead of copying/editing configuration files, which
would be a pain.
Marek
On 17.7.2014 15:33, Stian Thorgersen wrote:
We would need peristence.xml just to list the entity-classes.
Everything else would be configured through keycloak-server.json, and we could support
both Hibernate property names and simpler Keycloak names.
The nice thing about having a persistence.xml with just the entity-classes is that if
someone is a Hibernate wizard they can just not specify anything in keycloak-server.json,
and just configure it all through the persistence.xml
BTW if we did this, do we even have to explode the auth-server.war in the dist? Templates
are extracted to standalone/configuration/templates and configuration is done through
standalone/configuration/keycloak-server.json.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 17 July, 2014 2:30:18 PM
> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>
>
>
> On 7/17/2014 9:20 AM, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: keycloak-dev(a)lists.jboss.org
>>> Sent: Thursday, 17 July, 2014 2:14:21 PM
>>> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>>>
>>>
>>>
>>> On 7/17/2014 8:55 AM, Stian Thorgersen wrote:
>>>> As we didn't have enough things to do last minute I come up with
more
>>>> things which I think we should do for 1.0.final:
>>>>
>>>> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>>>>
>>>> This would be super simple to do, and would let us have a single
>>>> persistence.xml for everything (testsuite, server,
project-integrations).
>>>> Everything worthy of configuring in persistence.xml (including
>>>> datasource)
>>>> can be passed in the Map overrides when creating the
>>>> EntityManagerFactory.
>>>>
>>> -1. I don't think learning a new configuration format for
>>> persistence.xml is user friendly. Users would have to translate the
>>> Hibernate documentation to our json format.
>> It would support both, configuration can either be done through
>> persistence.xml or keycloak-server.json. We could use the same property
>> names, so it would just be a matter of putting it in keycloak-server
>> instead of properties in persistence.xml.
>>
>> Also, why do our users need to understand Hibernate/JPA just to be able to
>> configure what data-source to use for Keycloak?
>>
> Actually, you're right. We wouldn't even need a persistence.xml file.
> We wouldn't need even any JPA specific settings in keycloak-server.json
> by default too, right?
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:52 a.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "Bill Burke"
<bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 17 July, 2014 3:48:45 PM
Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
+1 as long as it's still possible to override hibernate properties also
with system properties as it's now. Overriding through system properties
is useful especially for running tests with various databases in CI, so
it's possible to configure MS-SQL etc in Jenkins just by setup few
system properties instead of copying/editing configuration files, which
would be a pain.
Wanted to talk to you about that, I think Jenkins should configure the KeycloakDS
datasource. That's how we'll document it for users to do, so that's how we
should test it.
Look at https://github.com/aerogear/aerogear-unifiedpush-server/tree/master/datab.... It
should be fairly straightforward to use those scripts with jboss-cli.sh to configure the
datasource?
Marek
On 17.7.2014 15:33, Stian Thorgersen wrote:
> We would need peristence.xml just to list the entity-classes. Everything
> else would be configured through keycloak-server.json, and we could
> support both Hibernate property names and simpler Keycloak names.
>
> The nice thing about having a persistence.xml with just the entity-classes
> is that if someone is a Hibernate wizard they can just not specify
> anything in keycloak-server.json, and just configure it all through the
> persistence.xml
>
> BTW if we did this, do we even have to explode the auth-server.war in the
> dist? Templates are extracted to standalone/configuration/templates and
> configuration is done through
> standalone/configuration/keycloak-server.json.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 17 July, 2014 2:30:18 PM
>> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>>
>>
>>
>> On 7/17/2014 9:20 AM, Stian Thorgersen wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>> Sent: Thursday, 17 July, 2014 2:14:21 PM
>>>> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>>>>
>>>>
>>>>
>>>> On 7/17/2014 8:55 AM, Stian Thorgersen wrote:
>>>>> As we didn't have enough things to do last minute I come up with
more
>>>>> things which I think we should do for 1.0.final:
>>>>>
>>>>> 1. Configure JPA through keycloak-server.json instead of
>>>>> persistence.xml
>>>>>
>>>>> This would be super simple to do, and would let us have a single
>>>>> persistence.xml for everything (testsuite, server,
>>>>> project-integrations).
>>>>> Everything worthy of configuring in persistence.xml (including
>>>>> datasource)
>>>>> can be passed in the Map overrides when creating the
>>>>> EntityManagerFactory.
>>>>>
>>>> -1. I don't think learning a new configuration format for
>>>> persistence.xml is user friendly. Users would have to translate the
>>>> Hibernate documentation to our json format.
>>> It would support both, configuration can either be done through
>>> persistence.xml or keycloak-server.json. We could use the same property
>>> names, so it would just be a matter of putting it in keycloak-server
>>> instead of properties in persistence.xml.
>>>
>>> Also, why do our users need to understand Hibernate/JPA just to be able
>>> to
>>> configure what data-source to use for Keycloak?
>>>
>> Actually, you're right. We wouldn't even need a persistence.xml file.
>> We wouldn't need even any JPA specific settings in keycloak-server.json
>> by default too, right?
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:25 a.m.
Good morning Stian,
Is the revocation of the refresh token[1][2] also planned?
[1] -
http://lists.jboss.org/pipermail/keycloak-dev/2014-June/001950.html
[2] - http://tools.ietf.org/html/rfc7009
On 2014-07-17, Stian Thorgersen wrote:
As we didn't have enough things to do last minute I come up with
more things which I think we should do for 1.0.final:
1. Configure JPA through keycloak-server.json instead of persistence.xml
This would be super simple to do, and would let us have a single persistence.xml for
everything (testsuite, server, project-integrations). Everything worthy of configuring in
persistence.xml (including datasource) can be passed in the Map overrides when creating
the EntityManagerFactory.
2. Introduce server-dependencies-min and server-dependencies-all poms
We have a few places that includes all the dependencies required (server,
testsuite/integration and testsuite/) as well as other project such as AeroGear and
LiveOak. Instead of everyone having to list all the dependencies they could have a single
dependency on either server-dependencies-min or server-dependencies-all. Min would exclude
most if not all provider implementations (such as PicketLink/LDAP, social providers,
etc).
3. TOTP SPI
At the moment we only support Google Authenticator, I don't think that's
sufficient. We should at the very least add support for one more, and have an SPI so users
can add their own. I think this would be related to the UserProvider sync work, as some
UserProvider implementations may require both a password and totp to verify a users
credentials, while others would only be able to verify the password and then have Keycloak
verify the totp.
Also, do we need to support users with more than one totp? Personally I have two for work
(one I use daily and another for backup).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
8:30 a.m.
Nope, if it something you really really really need it we could look at it. Or at least
consider for 1.1
I don't think we'd allow revoking individual refresh tokens, but instead allow
revoking a client from a specific user session. The end result would be pretty much the
same, except if there was multiple refresh tokens active for a client they would all be
invalidated.
The revoking part is easy, it to endpoints, admin console and account management that is
more time consuming :/
----- Original Message -----
From: "Bruno Oliveira" <bruno(a)abstractj.org>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Thursday, 17 July, 2014 2:25:34 PM
Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
Good morning Stian,
Is the revocation of the refresh token[1][2] also planned?
[1] -
http://lists.jboss.org/pipermail/keycloak-dev/2014-June/001950.html
[2] - http://tools.ietf.org/html/rfc7009
On 2014-07-17, Stian Thorgersen wrote:
> As we didn't have enough things to do last minute I come up with more
> things which I think we should do for 1.0.final:
>
> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>
> This would be super simple to do, and would let us have a single
> persistence.xml for everything (testsuite, server, project-integrations).
> Everything worthy of configuring in persistence.xml (including datasource)
> can be passed in the Map overrides when creating the EntityManagerFactory.
>
>
> 2. Introduce server-dependencies-min and server-dependencies-all poms
>
> We have a few places that includes all the dependencies required (server,
> testsuite/integration and testsuite/) as well as other project such as
> AeroGear and LiveOak. Instead of everyone having to list all the
> dependencies they could have a single dependency on either
> server-dependencies-min or server-dependencies-all. Min would exclude most
> if not all provider implementations (such as PicketLink/LDAP, social
> providers, etc).
>
>
> 3. TOTP SPI
>
> At the moment we only support Google Authenticator, I don't think that's
> sufficient. We should at the very least add support for one more, and have
> an SPI so users can add their own. I think this would be related to the
> UserProvider sync work, as some UserProvider implementations may require
> both a password and totp to verify a users credentials, while others would
> only be able to verify the password and then have Keycloak verify the
> totp.
>
> Also, do we need to support users with more than one totp? Personally I
> have two for work (one I use daily and another for backup).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
8:33 a.m.
On 7/17/2014 9:25 AM, Bruno Oliveira wrote:
Good morning Stian,
Is the revocation of the refresh token[1][2] also planned?
[1] -
http://lists.jboss.org/pipermail/keycloak-dev/2014-June/001950.html
[2] - http://tools.ietf.org/html/rfc7009
This is what you currently can do:
1. You can set up a notBefore policy realm-wide. This will invalidate
all refresh tokens realm wide.
2. You can invalidate a user session which invalidates all refresh
tokens created under that session.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:42 p.m.
One thing, which we discussed before was encoding of privateKey before
saving to DB? As currently if someone "steal" database record with
privateKey, he is able to create encoded accessTokens and send requests
to bearer-only applications.
Or is this still planned for August?
Marek
On 17.7.2014 14:55, Stian Thorgersen wrote:
As we didn't have enough things to do last minute I come up with
more things which I think we should do for 1.0.final:
1. Configure JPA through keycloak-server.json instead of persistence.xml
This would be super simple to do, and would let us have a single persistence.xml for
everything (testsuite, server, project-integrations). Everything worthy of configuring in
persistence.xml (including datasource) can be passed in the Map overrides when creating
the EntityManagerFactory.
2. Introduce server-dependencies-min and server-dependencies-all poms
We have a few places that includes all the dependencies required (server,
testsuite/integration and testsuite/) as well as other project such as AeroGear and
LiveOak. Instead of everyone having to list all the dependencies they could have a single
dependency on either server-dependencies-min or server-dependencies-all. Min would exclude
most if not all provider implementations (such as PicketLink/LDAP, social providers,
etc).
3. TOTP SPI
At the moment we only support Google Authenticator, I don't think that's
sufficient. We should at the very least add support for one more, and have an SPI so users
can add their own. I think this would be related to the UserProvider sync work, as some
UserProvider implementations may require both a password and totp to verify a users
credentials, while others would only be able to verify the password and then have Keycloak
verify the totp.
Also, do we need to support users with more than one totp? Personally I have two for work
(one I use daily and another for backup).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:25 a.m.
Last we didn't do it because of the potential headache for admins to deal with it,
especially in a cloud environment.
I wonder if it would make sense to always encrypt in the database with a master key for
the server. The master key could then be specified in keycloak-server.json. If users need
the additional security they could make sure keycloak-server.json (as well as
standalone.xml which has the ssl certificate keys) are stored on an encrypted drive. If
not stored in keycloak-server.json the user would have to specify it when starting the
server, which would have to be done by a prompt I think. Specifying it as an environment
variable or system properties is not very safe as that can just as easily be read by an
intruder as a file. This would make life a bit harder in a cluster though.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
Sent: Thursday, 17 July, 2014 6:42:13 PM
Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
One thing, which we discussed before was encoding of privateKey before
saving to DB? As currently if someone "steal" database record with
privateKey, he is able to create encoded accessTokens and send requests
to bearer-only applications.
Or is this still planned for August?
Marek
On 17.7.2014 14:55, Stian Thorgersen wrote:
> As we didn't have enough things to do last minute I come up with more
> things which I think we should do for 1.0.final:
>
> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>
> This would be super simple to do, and would let us have a single
> persistence.xml for everything (testsuite, server, project-integrations).
> Everything worthy of configuring in persistence.xml (including datasource)
> can be passed in the Map overrides when creating the EntityManagerFactory.
>
>
> 2. Introduce server-dependencies-min and server-dependencies-all poms
>
> We have a few places that includes all the dependencies required (server,
> testsuite/integration and testsuite/) as well as other project such as
> AeroGear and LiveOak. Instead of everyone having to list all the
> dependencies they could have a single dependency on either
> server-dependencies-min or server-dependencies-all. Min would exclude most
> if not all provider implementations (such as PicketLink/LDAP, social
> providers, etc).
>
>
> 3. TOTP SPI
>
> At the moment we only support Google Authenticator, I don't think that's
> sufficient. We should at the very least add support for one more, and have
> an SPI so users can add their own. I think this would be related to the
> UserProvider sync work, as some UserProvider implementations may require
> both a password and totp to verify a users credentials, while others would
> only be able to verify the password and then have Keycloak verify the
> totp.
>
> Also, do we need to support users with more than one totp? Personally I
> have two for work (one I use daily and another for backup).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:03 a.m.
On 18.7.2014 10:25, Stian Thorgersen wrote:
Last we didn't do it because of the potential headache for admins
to deal with it, especially in a cloud environment.
I wonder if it would make sense to always encrypt in the database with a master key for
the server. The master key could then be specified in keycloak-server.json. If users need
the additional security they could make sure keycloak-server.json (as well as
standalone.xml which has the ssl certificate keys) are stored on an encrypted drive. If
not stored in keycloak-server.json the user would have to specify it when starting the
server, which would have to be done by a prompt I think. Specifying it as an environment
variable or system properties is not very safe as that can just as easily be read by an
intruder as a file. This would make life a bit harder in a cluster though.
Not sure
about prompt, but master key in keycloak-server.json should
work well and won't be a pain in cluster as long as all cluster nodes
have same value in keycloak-server.json? Only thing is that if we add
some default value into keycloak-server.json, then probably 99% of
people won't change it:-)
But it's better than nothing IMO as people at least have possibility to
change the master key if they want better security .
Maybe best is to have SPI with encrypt/decrypt methods, which adds best
flexibility for people (default implementation will just encrypt/decrypt
with master key from keycloak-server.json)?
Marek
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
> Sent: Thursday, 17 July, 2014 6:42:13 PM
> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>
> One thing, which we discussed before was encoding of privateKey before
> saving to DB? As currently if someone "steal" database record with
> privateKey, he is able to create encoded accessTokens and send requests
> to bearer-only applications.
>
> Or is this still planned for August?
>
> Marek
>
> On 17.7.2014 14:55, Stian Thorgersen wrote:
>> As we didn't have enough things to do last minute I come up with more
>> things which I think we should do for 1.0.final:
>>
>> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>>
>> This would be super simple to do, and would let us have a single
>> persistence.xml for everything (testsuite, server, project-integrations).
>> Everything worthy of configuring in persistence.xml (including datasource)
>> can be passed in the Map overrides when creating the EntityManagerFactory.
>>
>>
>> 2. Introduce server-dependencies-min and server-dependencies-all poms
>>
>> We have a few places that includes all the dependencies required (server,
>> testsuite/integration and testsuite/) as well as other project such as
>> AeroGear and LiveOak. Instead of everyone having to list all the
>> dependencies they could have a single dependency on either
>> server-dependencies-min or server-dependencies-all. Min would exclude most
>> if not all provider implementations (such as PicketLink/LDAP, social
>> providers, etc).
>>
>>
>> 3. TOTP SPI
>>
>> At the moment we only support Google Authenticator, I don't think that's
>> sufficient. We should at the very least add support for one more, and have
>> an SPI so users can add their own. I think this would be related to the
>> UserProvider sync work, as some UserProvider implementations may require
>> both a password and totp to verify a users credentials, while others would
>> only be able to verify the password and then have Keycloak verify the
>> totp.
>>
>> Also, do we need to support users with more than one totp? Personally I
>> have two for work (one I use daily and another for backup).
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
4:08 a.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, 18 July, 2014 10:03:38 AM
Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
On 18.7.2014 10:25, Stian Thorgersen wrote:
> Last we didn't do it because of the potential headache for admins to deal
> with it, especially in a cloud environment.
>
> I wonder if it would make sense to always encrypt in the database with a
> master key for the server. The master key could then be specified in
> keycloak-server.json. If users need the additional security they could
> make sure keycloak-server.json (as well as standalone.xml which has the
> ssl certificate keys) are stored on an encrypted drive. If not stored in
> keycloak-server.json the user would have to specify it when starting the
> server, which would have to be done by a prompt I think. Specifying it as
> an environment variable or system properties is not very safe as that can
> just as easily be read by an intruder as a file. This would make life a
> bit harder in a cluster though.
Not sure about prompt, but master key in keycloak-server.json should
work well and won't be a pain in cluster as long as all cluster nodes
have same value in keycloak-server.json? Only thing is that if we add
some default value into keycloak-server.json, then probably 99% of
people won't change it:-)
We'd have to generate it on the first startup. I guess in a cluster people would have
to sync keycloak-server.json between all nodes in either case.
But it's better than nothing IMO as people at least have possibility to
change the master key if they want better security .
Maybe best is to have SPI with encrypt/decrypt methods, which adds best
flexibility for people (default implementation will just encrypt/decrypt
with master key from keycloak-server.json)?
Yep, we may even want to support hardware security modules, which would require some form
of an SPI for encryption/decryption. IMO that's not for this round though.
Marek
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak
dev"
>> <keycloak-dev(a)lists.jboss.org>
>> Sent: Thursday, 17 July, 2014 6:42:13 PM
>> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>>
>> One thing, which we discussed before was encoding of privateKey before
>> saving to DB? As currently if someone "steal" database record with
>> privateKey, he is able to create encoded accessTokens and send requests
>> to bearer-only applications.
>>
>> Or is this still planned for August?
>>
>> Marek
>>
>> On 17.7.2014 14:55, Stian Thorgersen wrote:
>>> As we didn't have enough things to do last minute I come up with more
>>> things which I think we should do for 1.0.final:
>>>
>>> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>>>
>>> This would be super simple to do, and would let us have a single
>>> persistence.xml for everything (testsuite, server, project-integrations).
>>> Everything worthy of configuring in persistence.xml (including
>>> datasource)
>>> can be passed in the Map overrides when creating the
>>> EntityManagerFactory.
>>>
>>>
>>> 2. Introduce server-dependencies-min and server-dependencies-all poms
>>>
>>> We have a few places that includes all the dependencies required (server,
>>> testsuite/integration and testsuite/) as well as other project such as
>>> AeroGear and LiveOak. Instead of everyone having to list all the
>>> dependencies they could have a single dependency on either
>>> server-dependencies-min or server-dependencies-all. Min would exclude
>>> most
>>> if not all provider implementations (such as PicketLink/LDAP, social
>>> providers, etc).
>>>
>>>
>>> 3. TOTP SPI
>>>
>>> At the moment we only support Google Authenticator, I don't think
that's
>>> sufficient. We should at the very least add support for one more, and
>>> have
>>> an SPI so users can add their own. I think this would be related to the
>>> UserProvider sync work, as some UserProvider implementations may require
>>> both a password and totp to verify a users credentials, while others
>>> would
>>> only be able to verify the password and then have Keycloak verify the
>>> totp.
>>>
>>> Also, do we need to support users with more than one totp? Personally I
>>> have two for work (one I use daily and another for backup).
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
6:29 a.m.
Late for the discussion, but +1 about the SPI. What if the key on
keycloak-server was a public key for encryption? And the private key for
decryption stays on protected hard drive, TPM or whatever? Is that the
idea?
On 2014-07-18, Stian Thorgersen wrote:
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Friday, 18 July, 2014 10:03:38 AM
> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
>
> On 18.7.2014 10:25, Stian Thorgersen wrote:
> > Last we didn't do it because of the potential headache for admins to deal
> > with it, especially in a cloud environment.
> >
> > I wonder if it would make sense to always encrypt in the database with a
> > master key for the server. The master key could then be specified in
> > keycloak-server.json. If users need the additional security they could
> > make sure keycloak-server.json (as well as standalone.xml which has the
> > ssl certificate keys) are stored on an encrypted drive. If not stored in
> > keycloak-server.json the user would have to specify it when starting the
> > server, which would have to be done by a prompt I think. Specifying it as
> > an environment variable or system properties is not very safe as that can
> > just as easily be read by an intruder as a file. This would make life a
> > bit harder in a cluster though.
> Not sure about prompt, but master key in keycloak-server.json should
> work well and won't be a pain in cluster as long as all cluster nodes
> have same value in keycloak-server.json? Only thing is that if we add
> some default value into keycloak-server.json, then probably 99% of
> people won't change it:-)
We'd have to generate it on the first startup. I guess in a cluster people would have
to sync keycloak-server.json between all nodes in either case.
>
> But it's better than nothing IMO as people at least have possibility to
> change the master key if they want better security .
>
> Maybe best is to have SPI with encrypt/decrypt methods, which adds best
> flexibility for people (default implementation will just encrypt/decrypt
> with master key from keycloak-server.json)?
Yep, we may even want to support hardware security modules, which would require some form
of an SPI for encryption/decryption. IMO that's not for this round though.
>
> Marek
> >
> > ----- Original Message -----
> >> From: "Marek Posolda" <mposolda(a)redhat.com>
> >> To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak
dev"
> >> <keycloak-dev(a)lists.jboss.org>
> >> Sent: Thursday, 17 July, 2014 6:42:13 PM
> >> Subject: Re: [keycloak-dev] Additional things to consider for 1.0.final
> >>
> >> One thing, which we discussed before was encoding of privateKey before
> >> saving to DB? As currently if someone "steal" database record
with
> >> privateKey, he is able to create encoded accessTokens and send requests
> >> to bearer-only applications.
> >>
> >> Or is this still planned for August?
> >>
> >> Marek
> >>
> >> On 17.7.2014 14:55, Stian Thorgersen wrote:
> >>> As we didn't have enough things to do last minute I come up with
more
> >>> things which I think we should do for 1.0.final:
> >>>
> >>> 1. Configure JPA through keycloak-server.json instead of
persistence.xml
> >>>
> >>> This would be super simple to do, and would let us have a single
> >>> persistence.xml for everything (testsuite, server,
project-integrations).
> >>> Everything worthy of configuring in persistence.xml (including
> >>> datasource)
> >>> can be passed in the Map overrides when creating the
> >>> EntityManagerFactory.
> >>>
> >>>
> >>> 2. Introduce server-dependencies-min and server-dependencies-all poms
> >>>
> >>> We have a few places that includes all the dependencies required
(server,
> >>> testsuite/integration and testsuite/) as well as other project such as
> >>> AeroGear and LiveOak. Instead of everyone having to list all the
> >>> dependencies they could have a single dependency on either
> >>> server-dependencies-min or server-dependencies-all. Min would exclude
> >>> most
> >>> if not all provider implementations (such as PicketLink/LDAP, social
> >>> providers, etc).
> >>>
> >>>
> >>> 3. TOTP SPI
> >>>
> >>> At the moment we only support Google Authenticator, I don't think
that's
> >>> sufficient. We should at the very least add support for one more, and
> >>> have
> >>> an SPI so users can add their own. I think this would be related to
the
> >>> UserProvider sync work, as some UserProvider implementations may
require
> >>> both a password and totp to verify a users credentials, while others
> >>> would
> >>> only be able to verify the password and then have Keycloak verify the
> >>> totp.
> >>>
> >>> Also, do we need to support users with more than one totp? Personally
I
> >>> have two for work (one I use daily and another for backup).
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
3810
days inactive
3815
days old
14 comments
4 participants
participants (4)
-
Bill Burke -
Bruno Oliveira -
Marek Posolda -
Stian Thorgersen