Why Not Use Keycloak?

Someone asked the question on our call today: "_why don't we just use `keycloak` for auth_?" 

https://github.com/keycloak/keycloak
![image](https://github.com/user-attachments/assets/d3dc13df-5124-4b93-8fcd-7534a6b70a99)

In a single word: `Security`
https://github.com/keycloak/keycloak/security
<img width="1119" alt="image" src="https://github.com/user-attachments/assets/ab5e5cc4-223a-4f82-b945-7d23fe7edec6">

`Session hijacking`, `DoS`, `XSS`, Leak of LADP, Path traversal ... 😬 
Unless you plan to _actively_ maintaining your `keycloak` instance with regular updates,
it's only a matter of time before another critical vulnerability appears and your auth is hacked.

It's a _good_ thing that `RedHat` are using it: https://access.redhat.com/products/red-hat-build-of-keycloak
Means that security-minded people have their eyes on it. 👀 
But unless you have a system to _automatically_ update and reboot your instance, it will get out-of-date _fast_! 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Why Not Use Keycloak? #357

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Why Not Use Keycloak? #357

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions