Am Dienstag, 9. Dezember, zwei Vorträge in #Hamburg – „Wie man einen #Keycloak sicher hält und worauf man achten sollte“ sowie „Was man in .git und .env im www findet“
https://hamburg.ccc.de/blog/2025/12/09/owasp-stammtisch-im-ccchh-am-9.12.2025/
Is there a dead simple guide to keycloak authorization policies?
I basically want to prevent all users from accessing an application unless they have a specific role (which grants them access through their group)
The policy seemingly always evaluates as deny for now, even though there's sometimes a permit, but even with it evaluating to deny, I can still login to the application?
It's amazing to see that #DeGoogling is possible. 😎🙌
Share your favorite DeGoogle apps in the comments!
@Tutanota My favorite #Degoogle and #Demicrosoft solutions:
Server side: @doncow, @nextcloud, some #Fediverse projects, #Matrix (Synapse) #Keycloak for SSO
Client side (Linux): #Evolution, #Libreoffice, #Librewolf
Mobile ( @GrapheneOS ): #FairEmail, #Firefox, some Fediverse clients, Matrix client
Alex Akselrod
boosted
On weekend I managed to connect all my selfhosted services that support it to the #Keycloak#SSO (single sign on).
Namely #Mastodon#Peertube#NextCloud #FreshRSS#Matomo and #grafana
Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .
This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.
Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.
On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.
❤️ 
On weekend I managed to connect all my selfhosted services that support it to the #Keycloak#SSO (single sign on).
Namely #Mastodon#Peertube#NextCloud #FreshRSS#Matomo and #grafana
Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .
This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.
Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.
On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.
❤️
Kurzer Nachtrag, ich möchte ja auch Lösungen liefern:
Sollte jemand interesse an einer skalierbaren, sicheren und preiswerten Infrastruktur inkl. Chat, Video, Cloud (inkl Collabora), Wiki, Mastodon, sowie Groupware (open XChange) und IDM an alle Dienste interessiert sein, gerne melden. Wir haben dieses System letztes Jahr mit dem Relaunch des NABU-Netz komplett auf open-source Basis für mehrere tausend Personen bereits umgesetzt.
#opensource #naturschutz #datenschutz #kubernetes #opencloud #matrix #keycloak #bookstack #opentofu #openxchange #mastodon #jitsi