[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"
sthorger at redhat.com
Thu Aug 17 00:46:17 EDT 2017
On 16 August 2017 at 15:40, Alexey Kazakov <alkazako at redhat.com> wrote:
> On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
> > I propose we remove the realm json returned at "/auth/realms/<realm
> > and just return an empty page
> > * It can end-up being visible to end-users - we should rather have a
> > welcome page / SSO landing page here
> What is wrong with exposing this json to users?
Nothing much really. There's no details there that are sensitive nor can't
easily be found out regardless. It doesn't look good if a end-user happens
to go to this URL though and is shown some JSON file rather than a HTML
> > * It's not used by anything AFAIK
> I'm not sure if this endpoint is documented but it can be used by
> users/clients. For example we use this endpoint to fetch the public key
> of the realm in openshift.io plus for simple health check. Should
> something else be used instead?
For public keys use:
That's what our adapters use and it's a OIDC standard endpoint
> > * From time to time people complain about it (
> > https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's more
> > similar issues reported)
> It seems that I don't have access to this issue. What kind of problems
> this endpoint can cause?
Folks claim it's a security issue. I disagree with that, but it comes up
from time to time.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev