[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"

John D. Ament john.d.ament at gmail.com
Wed Aug 16 06:12:04 EDT 2017

KEYCLOAK-5279 isn't asking to split it out.  We're dealing with the access
at a network level, making it so that certain URIs aren't accessible.  But
the ability to hide the fact that it may need to exist is important.

I think the more relevant ticket is KEYCLOAK-5277, where at least in a
multitenant fashion the fact that a realm may exist is considered sensitive
information.  The fact that there's a public API that returns 200/404 if a
realm exists is considered a problem, so having it removed would alleviate
any concerns in that area.

On Tue, Aug 15, 2017 at 1:19 PM Bill Burke <bburke at redhat.com> wrote:

> The idea of that URL is to expose public information about the realm,
> i.e. public cert/key and public endpoint urls.  If this information is
> not being used and we have other mechanisms in place, then yeah, remove it.
> IMO, the jira you reference is unrelated.  Its about shutting down the
> admin console/API.  As far as that goes, it would be cool to split up
> keycloak into separate subsystems:
> * backend (required)
> * admin api/console
> * account service
> * authentication/brokering/token endpoints
> Even have the admin api/console be exposed from a different bind
> address/port.
> On 8/15/17 8:00 AM, Stian Thorgersen wrote:
> > I propose we remove the realm json returned at "/auth/realms/<realm
> name>"
> > and just return an empty page
> >
> > * It can end-up being visible to end-users - we should rather have a
> realm
> > welcome page / SSO landing page here
> > * It's not used by anything AFAIK
> > * From time to time people complain about it (
> > https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's more
> > similar issues reported)
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list