Most active commenters

    ←back to thread

    An analysis of the Keycloak authentication system

    (security.humanativaspa.it)
    189 points udev4096 | 11 comments | 14 Nov 24 13:32 UTC | HN request time: 0.431s | source | bottom
    1. wvh ◴[14 Nov 24 16:43 UTC] No.42138009[source]
    Identity, authn and authn are hard. A failure in the code, logic or at the seams messes up everything that it tries to protect. There are a few big commercial players trying to take the market with their "social login", and a few smaller (open-source) players trying to compete and survive, walking a fine line between open-source and open-core.

    I feel this is one avenue where a few open-source players should get some solid funding and support from both the organisations and governments that use their software so we don't end up with unmaintained bug-riddled code and have to login with Google or Facebook everywhere.

    A lot of the government agencies I work with use open-source IdP software (because they have to privacy- and policy-wise), so some healthy funding model should be possible for people with the skill and interest.

    replies(5): >>42138508 #>>42138602 #>>42139245 #>>42139296 #>>42140612 #
    2. apitman ◴[14 Nov 24 17:19 UTC] No.42138508[source]
    I maintain a reasonably good table of the open source options here: https://github.com/lastlogin-net/obligator?tab=readme-ov-fil...
    replies(3): >>42138775 #>>42139650 #>>42146110 #
    3. stavros ◴[14 Nov 24 17:25 UTC] No.42138602[source]
    It's one thing if your domain is hard, and another if you can't be bothered to fix a core problem in your service for ten months. Why would I trust you with my security if that's how long you leave vulnerabilities open after knowing about them?
    4. cinntaile ◴[14 Nov 24 17:39 UTC] No.42138775[source]
    Assuming this is a rather complete list... It's interesting that most were written in Go.
    replies(1): >>42139973 #
    5. JadeNB ◴[14 Nov 24 18:13 UTC] No.42139245[source]
    > Identity, authn and authn are hard.

    Just a typo, was one of those authns meant to be something else, or a meta-joke (of the "there are two hard problems" type)?

    replies(1): >>42139297 #
    6. jdenning ◴[14 Nov 24 18:17 UTC] No.42139297[source]
    I assume one was supposed to be "authz"
    7. wslh ◴[14 Nov 24 18:17 UTC] No.42139296[source]
    > Identity, authn and authn are hard.

    It would be great if you or somebody else could complete the idea of hardness with a comparison. Am I wrong if I say that this kind of auth systems require formal methods to check them? I don't think that a 10-month timeline is linked to the hard problem.

    8. mjcohen ◴[14 Nov 24 18:46 UTC] No.42139650[source]
    What is Vanity?
    9. rnewme ◴[14 Nov 24 19:11 UTC] No.42139973{3}[source]
    And how it has little dependencies
    10. pphysch ◴[14 Nov 24 20:08 UTC] No.42140612[source]
    > Identity, authn and authn are hard

    They are technically straightforward problems. The challenge is usually political; who owns the identity, who manages the identity, privacy concerns of users, etc.

    Authz can get crazy, there's a lot of over-engineered solutions there because there's basically no hard boundary between authz and general business logic.

    But identity and authn are relatively straightforward, technically, and we ought to have a better FOSS solution than just Keycloak.

    11. moribvndvs ◴[15 Nov 24 11:56 UTC] No.42146110[source]
    Any insight on supertokens? https://supertokens.com/