←back to thread

An analysis of the Keycloak authentication system

(security.humanativaspa.it)
189 points udev4096 | 3 comments | 14 Nov 24 13:32 UTC | HN request time: 0.001s | source
Show context
mickael-kerjean ◴[14 Nov 24 14:57 UTC] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
some_furry ◴[14 Nov 24 15:06 UTC] No.42136837[source]
> What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Yeah, no. That's not how security research works.

If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

From the timeline:

> 28/03/2024 – First communication sent with all details and a proposed fix.

After that point, any additional help (including a pull request) is going above and beyond.

I run into this attitude you're exhibiting a lot. Where proprietary software has the legal threats, the open source community is plagued by patch entitlement.

Knowledge of a security issue in a project is, in and of itself, a valuable contribution. Expecting a PR devalues this work.

replies(2): >>42136977 #>>42137118 #
noselasd ◴[14 Nov 24 15:16 UTC] No.42136977[source]
> If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

On the other hand, if I'm a hobbyist, I have 0 obligations to do or fix anything I've made open source. Patches are welcome ofcourse.

replies(5): >>42136995 #>>42137081 #>>42137644 #>>42139052 #>>42161121 #
ziddoap ◴[14 Nov 24 15:24 UTC] No.42137081[source]
>I have 0 obligations to do or fix anything I've made open source.

While technically true, this seems pretty scummy when you're advertising security software for real people and companies to use as their identity management.

Nowhere on the Keycloak home page does it say "just a hobby project" or anything that would remotely indicate that it is not a serious project and that you shouldn't use the software.

Instead, it seems like they are trying very hard to be taken seriously as an identity management product.

replies(1): >>42137119 #
flanked-evergl ◴[14 Nov 24 15:28 UTC] No.42137119[source]
> Nowhere on the Keycloak home page does it say "just a hobby project" or anything that would remotely indicate that it is not a serious project and that you shouldn't use the software.

https://github.com/keycloak/keycloak/blob/main/LICENSE.txt#L...

Indeed

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
replies(1): >>42137127 #
ziddoap ◴[14 Nov 24 15:28 UTC] No.42137127[source]
Point 7 buried in the license document of the github repository is very much not https://www.keycloak.org/
replies(4): >>42137368 #>>42137403 #>>42137626 #>>42137846 #
willcipriano ◴[14 Nov 24 15:47 UTC] No.42137368{3}[source]
Customers have been refunded in full.
replies(1): >>42140667 #
1. mardifoufs ◴[14 Nov 24 20:12 UTC] No.42140667{4}[source]
Red hat consumers have been refunded? Where?
replies(1): >>42140759 #
2. willcipriano ◴[14 Nov 24 20:21 UTC] No.42140759[source]
As per the terms here: https://www.keycloak.org/pricing
replies(1): >>42142182 #
3. mardifoufs ◴[14 Nov 24 23:02 UTC] No.42142182[source]
The point is that red hat also sells keycloak and develops it. I agree that most users don't pay, but your point is a bit weird considering that some people do actually pay/paid for its development and still do not get a refund