We love open source. Do you?
REWE digital loves Open Source
Open source software forms the backbone of our digital platforms, our software developers contribute to open source projects and we publish some of our own software under open source licenses.
Keycloak, a community project under the stewardship of Red Hat, is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. We use Keycloak to manage and authenticate users for one of our applications. Since user authentication is a critical service, we decided to do a security assessment of the latest Keycloak release. In order to publish the results, the test was conducted against a generic setup of Keycloak.
REWE digital funded a security assessment carried out by Cure53, a well known company specialized on pentests and security analysis. They have a long track record of executing tests for open source software. During the test phase, they also worked with the security team of Keycloak to make sure that the findings could be fixed in a short timeframe.
After Cure53 executed the test and the Keycloak team released Keycloak 8.0.2 with the fixes, we are proud to make the final report available to the public. The report is available at https://cure53.de/pentest-report_keycloak.pdf.
We want to thank Cure53 and especially the Keycloak security team for their collaboration. If you use Keycloak in your setup, we hope that this report is valuable for you. If you develop or fund security assessments of open source software, please consider publishing your report or the results to the public.