←back to thread

An analysis of the Keycloak authentication system

(security.humanativaspa.it)
189 points udev4096 | 1 comments | 14 Nov 24 13:32 UTC | HN request time: 0.202s | source
Show context
mickael-kerjean ◴[14 Nov 24 14:57 UTC] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
tapoxi ◴[14 Nov 24 15:21 UTC] No.42137033[source]
Keycloak is a Red Hat product and is a dependency for many Red Hat products so I'd love it if people running the open source release can report the bug and get feedback. This isn't a student eating ramen supporting this software, its IBM.
replies(1): >>42137535 #
hiciu ◴[14 Nov 24 16:02 UTC] No.42137535[source]
Keycloak has been donated to CNCF in 2023. So it's not a RH / IBM product anymore.

I would even go as far as say that it never was; Red Hat had their own product called "Red Hat Single Sign On" that was, for some time, based on opensource Keycloak project, but the opensource Keycloak project has existed before RH SSO. And exists now that RH SSO product has been deprecated (retired? Idk what happened).

Red Hat does offer a "Red Hat build of Keycloak" now, and of course Keycloak would not exists in it's current form without Red Hat.

But saying that "Keycloak is a Red Hat product and therefore Red Hat and / or IBM should support it" would be, in my opinion, harmful for the whole opensource movement. If, by being engaged with opensource project, a company risks it's reputation then such company could decide against any engagement, or would engage only if it could keep control of the project / community around it.

replies(3): >>42137753 #>>42138004 #>>42138921 #
tofflos ◴[14 Nov 24 17:50 UTC] No.42138921[source]
Off-topic but I love this naming convention from Red Hat which I hope gets more traction across the industry. It absolutely detest wading through vendor marketing material to figure out which open source product is being used under the hood. With names like "Red Hat Build of Keycloak" and "Microsoft Build of OpenJDK" it's crystal clear.

I believe it works out better for the vendors as well because there are so many obstacles with evaluating anything that requires a license in an enterprise setting. If the technical person downloads and evaluates the underlying open source version some manager will insist on purchasing a support contract before going to production.

replies(1): >>42167606 #
1. bigfatkitten ◴[17 Nov 24 21:46 UTC] No.42167606[source]
Though Red Hat did a search and replace for RHSSO with "Red Hat Build of Keycloak" in their docs, and now they are extremely painful to read with Red Hat Build of Keycloak sometimes appearing three times in one sentence when "Keycloak" or some other shortened form would suffice.