For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage.
Tuesday, 23 February 2016
Friday, 19 February 2016
Musing on JSON Web Tokens
I just got back from the DevNexus conference in Atlanta. There, I attended several security-related talks. One of them was on using JSON Web Tokens (JWT). The presenter explained that JWT is "session cookies done right".
Afterward, I was discussing the talk with an old colleague I hadn't seen in years. He seemed impressed and told about how this was just what he needed to secure some of his legacy REST endpoints. I remarked that yes, JWT is good and we use it in Keycloak as part of our OpenID Connect implementation. I also said that I thought it was a mistake to roll your own. You wouldn't really do this yourself. You would use a tool that manages the tokens for you. He didn't seem convinced, and I didn't have a good coherent argument so I dropped the subject.
Then that evening there was another talk that mentioned JWT. This presenter told us, no, JWT is bad. He says, well, it's not really bad. It's probably the best choice if you know what you are doing. Then he proceeded to tell us about security problems in old versions of JWT libraries and how even with the latest code you might not get it right.
Though it wasn't really the focus of his talk, this guy seemed to be saying that the best solution is to "roll your own" token.
Uh, no.
But I wish my friend had seen that talk as well. Now I had my answer for him. Security is hard. Use Keycloak or use some other product. Just don't get cute and try to do JWT yourself.
Stan
Afterward, I was discussing the talk with an old colleague I hadn't seen in years. He seemed impressed and told about how this was just what he needed to secure some of his legacy REST endpoints. I remarked that yes, JWT is good and we use it in Keycloak as part of our OpenID Connect implementation. I also said that I thought it was a mistake to roll your own. You wouldn't really do this yourself. You would use a tool that manages the tokens for you. He didn't seem convinced, and I didn't have a good coherent argument so I dropped the subject.
Then that evening there was another talk that mentioned JWT. This presenter told us, no, JWT is bad. He says, well, it's not really bad. It's probably the best choice if you know what you are doing. Then he proceeded to tell us about security problems in old versions of JWT libraries and how even with the latest code you might not get it right.
Though it wasn't really the focus of his talk, this guy seemed to be saying that the best solution is to "roll your own" token.
Uh, no.
But I wish my friend had seen that talk as well. Now I had my answer for him. Security is hard. Use Keycloak or use some other product. Just don't get cute and try to do JWT yourself.
Stan
Thursday, 4 February 2016
Keycloak 1.8.1.Final and 1.9.0.CR1 released
Today we have two releases. As 1.8.0.Final was released before WildFly 10 Final was available, we decided to release 1.8.1.Final which is now built on top of WildFly 10 Final.
The bigger release today is 1.9.0.CR1, this release contains a large number of bug fixes and improvements, but no major new features.
For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage.
Subscribe to:
Posts (Atom)