Thursday, 28 April 2016

Keycloak 1.9.3.Final Released

We've just release 1.9.3.Final. This release has a few bug fixes, but mainly we've focused on increasing test coverage for this release.

For the full list of resolved issues check out JIRA and to download the release go to the Keycloak homepage.

Thursday, 14 April 2016

Keycloak 1.9.2.Final released

The team has done an awesome job this time around and we've spent the last few weeks polishing and fixing! With 141 issues resolved this release takes us one step closer to having a supported version of Keycloak. For the next release we will focus on extending our testsuite as well as improving documentation. If you haven't already upgraded to 1.9.x now is the time!

For the full list of resolved issues check out JIRA and to download the release go to the Keycloak homepage.

Wednesday, 9 March 2016

Keycloak 1.9.1.Final Released

For the full list of resolved issues check out JIRA and to download the release go to the Keycloak homepage.

Thursday, 3 March 2016

Commercial support

We're very pleased to announce that Red Hat is working on a commercially supported version of Keycloak. At the moment we can't give any details around product name, release date or subscription model. What we can tell you is that the supported version will be based on Keycloak 1.9.x.

Rather than working on new features we're currently focusing on performance, bug fixes and general polishing. We will be releasing minor releases of 1.9.x every few weeks going forward. This means that we highly recommend you upgrade to 1.9.x now. It will get continuous fixes, including security fixes, until the commercially supported version is ready. Going forwards we'll also be very unlikely to answer questions or help with problems unless you've upgraded to 1.9.x. We'd also appreciate all the review and feedback we can get on this release. We want to make it as good as possible.

Tuesday, 23 February 2016

Keycloak 1.9.0.Final Released

For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage.

Friday, 19 February 2016

Musing on JSON Web Tokens

I just got back from the DevNexus conference in Atlanta.  There, I attended several security-related talks.  One of them was on using JSON Web Tokens (JWT).  The presenter explained that JWT is "session cookies done right".

Afterward, I was discussing the talk with an old colleague I hadn't seen in years.  He seemed impressed and told about how this was just what he needed to secure some of his legacy REST endpoints.  I remarked that yes, JWT is good and we use it in Keycloak as part of our OpenID Connect implementation.  I also said that I thought it was a mistake to roll your own.  You wouldn't really do this yourself.  You would use a tool that manages the tokens for you.  He didn't seem convinced, and I didn't have a good coherent argument so I dropped the subject.

Then that evening there was another talk that mentioned JWT.  This presenter told us, no, JWT is bad.  He says, well, it's not really bad.  It's probably the best choice if you know what you are doing.  Then he proceeded to tell us about security problems in old versions of JWT libraries and how even with the latest code you might not get it right.

Though it wasn't really the focus of his talk, this guy seemed to be saying that the best solution is to "roll your own" token.

Uh, no.

But I wish my friend had seen that talk as well.  Now I had my answer for him.  Security is hard.  Use Keycloak or use some other product.  Just don't get cute and try to do JWT yourself.

Stan


Thursday, 4 February 2016

Keycloak 1.8.1.Final and 1.9.0.CR1 released

Today we have two releases. As 1.8.0.Final was released before WildFly 10 Final was available, we decided to release 1.8.1.Final which is now built on top of WildFly 10 Final.

The bigger release today is 1.9.0.CR1, this release contains a large number of bug fixes and improvements, but no major new features.

For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage.