An analysis of the Keycloak authentication system

(security.humanativaspa.it)

189 points udev4096 | 3 comments | 14 Nov 24 13:32 UTC | HN request time: 0.647s | source

Show context

mickael-kerjean ◴[14 Nov 24 14:57 UTC] No.42136723[source]▶

What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #

1. aseipp ◴[14 Nov 24 15:45 UTC] No.42137338[source]▶

>>42136723 #

Keycloak is not written by some random person in the middle of nowhere who is shouldering the burdens of the world. It is security sensitive software that in part is funded by major open-source corporations like Red Hat, including full time engineers. What you're reading in this blog is literally standard fare in security research where a disclosure happens after some set period of time, regardless of when, or even if, the fix happened.

Fixing authentication bypasses is not "very high expectations", it's exactly what you would expect from this software. Get a grip on reality, please.

replies(1): >>42140923 #

2. threatofrain ◴[14 Nov 24 20:36 UTC] No.42140923[source]▶

>>42137338 (TP) #

Is it still funded by Red Hat today?

replies(1): >>42147881 #

3. aseipp ◴[15 Nov 24 15:42 UTC] No.42147881[source]▶

>>42140923 #

Several developers and full-time employees, including the project lead, are still employed by Red Hat.

↑