[keycloak-dev] Additional things to consider for 1.0.final

Marek Posolda mposolda at redhat.com
Thu Jul 17 13:42:13 EDT 2014 

One thing, which we discussed before was encoding of privateKey before 
saving to DB? As currently if someone "steal" database record with 
privateKey, he is able to create encoded accessTokens and send requests 
to bearer-only applications.

Or is this still planned for August?

Marek

On 17.7.2014 14:55, Stian Thorgersen wrote:
> As we didn't have enough things to do last minute I come up with more things which I think we should do for 1.0.final:
>
> 1. Configure JPA through keycloak-server.json instead of persistence.xml
>
> This would be super simple to do, and would let us have a single persistence.xml for everything (testsuite, server, project-integrations). Everything worthy of configuring in persistence.xml (including datasource) can be passed in the Map overrides when creating the EntityManagerFactory.
>
>
> 2. Introduce server-dependencies-min and server-dependencies-all poms
>
> We have a few places that includes all the dependencies required (server, testsuite/integration and testsuite/) as well as other project such as AeroGear and LiveOak. Instead of everyone having to list all the dependencies they could have a single dependency on either server-dependencies-min or server-dependencies-all. Min would exclude most if not all provider implementations (such as PicketLink/LDAP, social providers, etc).
>
>
> 3. TOTP SPI
>
> At the moment we only support Google Authenticator, I don't think that's sufficient. We should at the very least add support for one more, and have an SPI so users can add their own. I think this would be related to the UserProvider sync work, as some UserProvider implementations may require both a password and totp to verify a users credentials, while others would only be able to verify the password and then have Keycloak verify the totp.
>
> Also, do we need to support users with more than one totp? Personally I have two for work (one I use daily and another for backup).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list