mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

docs(faq): Discuss options for TLS between LB and kanidm

Browse source
This commit is contained in:
Chance Harrison 2024-04-28 22:58:00 -07:00
parent ef2701687e
commit cc9433fbd4
No known key found for this signature in database
GPG key ID: B3D4DEF9BB56AB5B
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
book/src/frequently_asked_questions.md
View file

@ -37,6 +37,19 @@ practice. This can allow account hijacking, privilege escalation, credential dis
information leaks and more. The entire path between a client and the server must be protected at all
times.
There are a variety of ways that you can configure TLS between your load balancer and Kanidm.
Ultimately, any option that maintains the confidentiality and integrity of the communication will
suffice. Some options include, but are not limited to:
- Generating a self-signed certificate
- Utilize certificate pinning to ensure that the load balancer only trusts connections made with
that particular certificate
- Not terminating TLS / TLS passthrough / TCP proxy
- Running your own certificate authority (CA)
The "best" option for you will depend on a number of factors, including your threat model and the
specifc load balancer you are using.
## OAuth2
[RFC6819 - OAuth2 Threat Model and Security Considerations](https://www.rfc-editor.org/rfc/rfc6819)