Recently I was involved in a project where KeyCloak was used as an identity proxy: the target app was configured to use KeyCloak as an SSO, but KeyCloak delegated the authentication further to an other IdP. So on login to the target app, the app would redirect the user to KeyCloak, which would further redirect to the IdP’s login page. Upon authenticating there, the IdP redirected back to KeyCloak, which redirected to the target app. This double-redirect flow happened very fast so it was mostly transparent to the user.
My task was to review the security of this setup and I managed to find a few interesting bugs.
Permissions for a Pod in kubernetes are managed via Service Accounts, and these come with a JWT issued by the cluster. If the Pods need to authenticate to an external service, it would be reasonable to use this JWT, so let’s see how to get it and verify it.
I’ve been playing with using kubernetes service account JWTs to authenticate Pods. To get the cert for checking the JWT signature, I needed to hit the https://kubernetes.default.svc/.well-known/openid-configuration endpoint, however as the URL was coming from a config file it ended up being https://kubernetes.default.svc//.well-known/openid-configuration (mind the double //). This worked well locally where everything runs under the powerful default service account, but when deployed I got an error saying:
This week I got to help out with a video for a Japanese learning podcast episode by Momoko sensei. I like taking photos, especially to capture life in Japan, so I was very happy for this opportunity to show them to the world. Most of the photos in the video are mine, except the ones at the purikura section. Enjoy!
Even though Japan has amazing public transportation, sometimes having a car can make things so much better, like going for a day trip to the countryside or picking up someone at the station. This gets even more important as you leave Tokyo: for example Kyoto’s public transportation is mostly buses that can be significantly delayed due to traffic, and they are slower than cycling (due to stopping all the time). Moreover (especially on the weekend) they might only come once every 30 minutes, so you usually end up waiting at the bus stop for quite a while. Traditional car rentals are great for day trips, but get rather complicated and expensive for short trips.
The solution for this situation is car sharing: essentially a self-service car rental with support for very short rentals. I have been using Times Car Share, but other big players in the Japanese market are Orix and careco with very similar service and prices. At the end of the day it probably comes down to which one has a station close to where you live.