5:43 a.m.
Hi group,
yesterday I gave a talk about Keycloak at the Javaland conference in
Germany.
The talk was well attended (~100) and I got a lot of questions at the end.
Some of the things people asked for were:
Q1: Will Keycloak support JWT with EC signature?
Q2: How to integrate Keycloak login forms or use custom login components
in Single Page Applications?
Q3:Will the Spring Boot Adapter make use of the Spring Security Adapter
instead of
using the Servlet Container specific implementations?
Q4: Is there a reserved path for custom REST-Resources to avoid
clashes with Keycloak REST-Resources in new releases?
Q5: Is there a documentation of all exposed Resource paths in Keycloak
(appart from the REST API Docs)?
Q6: Are there some guidelines for protecting a Keycloak server?
Q7: The RH-SSO commercial offering states that it is based on the Open
Source
Community Edition of Keycloak and that on can get patches and support.
Will those patches (e.g. for security vulnerabilities) also end up in the
Community Edition?
In addition to those questions. Some people asked for a list of services
using Keycloak.
Since not many people talk about that they are using Keycloak
I found a nice way to find some Keycloak installations with a simple
google search, just try:
inurl:auth inurl:realms inurl:protocol
Cheers,
Thomas
6:47 a.m.
On Thu, Mar 30, 2017 at 12:43 PM, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hi group,
yesterday I gave a talk about Keycloak at the Javaland conference in
Germany.
The talk was well attended (~100) and I got a lot of questions at the end.
Congrats ! I also saw some nice tweets about your talk.
Let me just answer the question about Spring Boot / Security
Some of the things people asked for were:
Q1: Will Keycloak support JWT with EC signature?
Q2: How to integrate Keycloak login forms or use custom login components
in Single Page Applications?
Q3:Will the Spring Boot Adapter make use of the Spring Security Adapter
instead of
using the Servlet Container specific implementations?
For now no, we had this discussion already sometime ago but we have a
pretty fair amount of users who uses Spring Boot without Spring Security so
it make sense to keep it separated. But in the next release there will be
some small enhancement to make the combination of the 2 more smooth.
Q4: Is there a reserved path for custom REST-Resources to avoid
clashes with Keycloak REST-Resources in new releases?
Q5: Is there a documentation of all exposed Resource paths in Keycloak
(appart from the REST API Docs)?
Q6: Are there some guidelines for protecting a Keycloak server?
Q7: The RH-SSO commercial offering states that it is based on the Open
Source
Community Edition of Keycloak and that on can get patches and support.
Will those patches (e.g. for security vulnerabilities) also end up in the
Community Edition?
In addition to those questions. Some people asked for a list of services
using Keycloak.
It's an easy one but one big user is ... Red Hat ;)
Since not many people talk about that they are using Keycloak
I found a nice way to find some Keycloak installations with a simple
google search, just try:
inurl:auth inurl:realms inurl:protocol
Cheers,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:24 a.m.
On 30 March 2017 at 12:43, Thomas Darimont <thomas.darimont(a)googlemail.com>
wrote:
Hi group,
yesterday I gave a talk about Keycloak at the Javaland conference in
Germany.
The talk was well attended (~100) and I got a lot of questions at the end.
Some of the things people asked for were:
Q1: Will Keycloak support JWT with EC signature?
We'd like to eventually, but currently this is in the backlog of features
to add.
Q2: How to integrate Keycloak login forms or use custom login components
in Single Page Applications?
Don't is the simple answer, use a redirect. It's possible to embed with an
iframe, but awkward and has security implications is the slightly longer
answer.
Q3:Will the Spring Boot Adapter make use of the Spring Security Adapter
instead of
using the Servlet Container specific implementations?
Q4: Is there a reserved path for custom REST-Resources to avoid
clashes with Keycloak REST-Resources in new releases?
Good question. No there isn't.
Q5: Is there a documentation of all exposed Resource paths in Keycloak
(appart from the REST API Docs)?
No
Q6: Are there some guidelines for protecting a Keycloak server?
Yes, somewhere in the admin guide (it's the last chapter if I remember
correctly)
Q7: The RH-SSO commercial offering states that it is based on the Open
Source
Community Edition of Keycloak and that on can get patches and support.
Will those patches (e.g. for security vulnerabilities) also end up in the
Community Edition?
Yes, but there are key differences here. In RH-SSO we can issue security
patches and allow customers to patch the current installation before
anything is made public. Only after customers have had a chance to patch
will be provide the fix in community and in most cases (unless it's very
bad) you will also have to wait and upgrade to the next release as we don't
in general do micro releases in community.
In addition to those questions. Some people asked for a list of services
using Keycloak.
Since not many people talk about that they are using Keycloak
I found a nice way to find some Keycloak installations with a simple
google search, just try:
inurl:auth inurl:realms inurl:protocol
Looks like our robots.txt isn't stopping all indexing in Google for some
reason. That's not good. In any case that list doesn't show all users of
Keycloak as there are plenty I know about not being revealed by that search.
We don't distribute list of customers of RH-SSO, nor do we go around
announcing who uses Keycloak either.
Cheers,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2581
days inactive
2581
days old
2 comments
3 participants
participants (3)
-
Sebastien Blanc -
Stian Thorgersen -
Thomas Darimont