Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Once you're a Keycloak user you can figure out if someone is using Keycloak within seconds, e.g. I know my credit card company uses it. And this isn't a matter of security, security by obscurity is really bad idea.


Are you referring to the formatting/contents of the session token, or some other way to tell within seconds?


The cookie name and login/registration URL (realm) gives it away immediately.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: