Open arminfelder opened 2 years ago
dani
commented
1 year ago This is indeed a important issue. Maybe a first step would be to add clear example in the doc for how to secure infinispan for keycloak. For now, it just says it should be secured and redirect to the infinispan doc, which is not very helpful
lgthibault
commented
1 year ago The struggle is very real here too.
I tried a infinispan configuration from their integration test folder (here) with the following outcome:
2022-11-28 18:37:30,433 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.commons.CacheConfigurationException: ISPN000327: Cannot find a parser for element 'server' in namespace 'urn:infinispan:server:13.0'. Check that your configuration is up-to date for Infinispan '13.0.10.Final' and if you have the proper dependency in the classpath
ahmedwarsama
commented
1 year ago I couldn't agree more. I am currently trying to setup symmetric encryption with jgroups in infinispan. It is a lot harder than it needs to be.
SeWieland
commented
1 year ago Just a sidenote here: using a service mesh like https://linkerd.io/ can take care of mTLS without further configuration of KC..
Description
Infinispan can be secured with credentials, as well as encryption, this should become standard or at least should be made easy to configure via env vars
https://infinispan.org/docs/stable/titles/security/security.html
Discussion
No response
Motivation
at the moment Infinispan is not protected, therefor, anyone with network access to one of the Keycloak instances, could just write a new user session inside the cache, this should not be possible, I would therefor argue, that mTLS or TLS + e.g. common secrets, should become the standard, and should therefor be easy to configure via env vars
Details
No response