mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-04-19 16:55:38 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge cc9433fbd4 into ad012cd6fd

Browse source
This commit is contained in:
ChanceHarrison 2025-04-05 03:31:43 +02:00 committed by GitHub
parent ad012cd6fd cc9433fbd4
commit dad04058c6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 13 additions and 0 deletions

13
book/src/frequently_asked_questions.md
View file

@ -52,6 +52,19 @@ configured.
Similarly, WebAuthn and its various other names like Passkeys, FIDO2 or "scan the QR code to log in" Similarly, WebAuthn and its various other names like Passkeys, FIDO2 or "scan the QR code to log in"
will [only work over TLS](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API). will [only work over TLS](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
There are a variety of ways that you can configure TLS between your load balancer and Kanidm.
Ultimately, any option that maintains the confidentiality and integrity of the communication will
suffice. Some options include, but are not limited to:
- Generating a self-signed certificate
- Utilize certificate pinning to ensure that the load balancer only trusts connections made with
that particular certificate
- Not terminating TLS / TLS passthrough / TCP proxy
- Running your own certificate authority (CA)
The "best" option for you will depend on a number of factors, including your threat model and the
specifc load balancer you are using.
## OAuth2 ## OAuth2
[RFC6819 - OAuth2 Threat Model and Security Considerations](https://www.rfc-editor.org/rfc/rfc6819) [RFC6819 - OAuth2 Threat Model and Security Considerations](https://www.rfc-editor.org/rfc/rfc6819)