Entwicklung

17. January 202317. January 2023

Svelte-kit and Keycloak OIDC

There’s NextAuth.js from vercel, which was made for next.js

Recently it was adapted for svelte-kit.

The announcement post:
https://vercel.com/blog/announcing-sveltekit-auth

The keycloak provider doc:
https://next-auth.js.org/providers/keycloak

The example repository:
https://github.com/nextauthjs/sveltekit-auth-example

Well it does work, on first sight. Sign in, Sign out, requiring auth for pages, it all works.
However you need a confidential client.
And this token then isn’t compatible with the server side API (RESTful/GraphQL) which expects a non-confidential client.
Also it doesn’t use the SignIn page from the keycloak server, but its own “sign in with keycloak” page.
Roles are not present and no documentation about how to change the scope.
Yes, it can probably be adjusted, but it’s not documented.

Why does Svelte not have a SPA mode?
Why do I have to write a SSR/universal “app” when using Svelte?

9. November 2022

archlinux: pacman: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory

Upgrade only openssl to version 3 from 1.1.1 and you receive this error. sudo doesn’t work, pacman doesn’t work, what do you do?

Well hopefully you have not deleted previously downloaded packages from /var/cache/pacman/pkg/ .
If not, read about the Arch Linux Archive and you will need a USB drive/stick/whatever with an archiso written on it. I will not go there.

You however do have a previous version, for instance /var/cache/pacman/pkg/openssl-1.1.1.q-1-x86_64.pkg.tar.zst.
Since you can’t sudo, use su - to become root.

cd /
tar xf /var/cache/pacman/pkg/openssl-1.1.1.q-1-x86_64.pkg.tar.zst
pacman -Syu
pacman -S openssl

cd /

tar xf /var/cache/pacman/pkg/openssl-1.1.1.q-1-x86_64.pkg.tar.zst

pacman -Syu

pacman -S openssl

19. October 202219. October 2022

nginx: [emerg] unknown “tls1_3_early_data” variable

If you’re getting this error message doing nginx -t or otherwise,
for instance if you’re copy/pasting Mattermost’s nginx configuration,
know that the line is

add_header X-Early-Data $ssl_early_data;

1	add_header X-Early-Data $ssl_early_data;

instead of

add_header X-Early-Data $tls1_3_early_data;

1	add_header X-Early-Data $tls1_3_early_data;

I’m not sure but I’m guessing nginx developers renamed that variable, I’m just not sure when that happened. $tls1_3_early_data must have worked some time ago, but on my nginx version it doesn’t and I have to use the $ssl_early_data variable.

18. October 2022

Crayon Syntax Highlighter has moved to code.icod.de

Crayon Syntax Highlighter compatible with PHP 8, has moved from git.icod.de to code.icod.de .
It can now be found at https://code.icod.de/dalu/crayon-syntax-highlighter

10. October 202210. October 2022

Keycloak Client Passwords are insecure by default

And the maintainers refuse to change that, responding with bureaucratic measures and general ignorance.

When you have an UUID string, example “192c1916-de80-4003-a01b-b2eaf97a1721” first of all those aren’t 128 bits.
You have a representation of those 128 bits and a very limited set of characters 0123456789abcdef, so you represent those 128 bits in only 16 characters of 256 possible, effectively reducing the bit-“strength” to 128/(256/16)=8 bits. And of course you know how many characters 8 bits are, exactly 1.

So now you have 32 characters that can only have the state of [0-9a-f] each. How long does it take to brute force 32 characters with 16 possible values per character?

Keycloak client passwords are insecure by default and that maybe be because of laziness, which I first assumed, stupidity, which is quite common or by design.