[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"
sthorger at redhat.com
Thu Aug 17 00:48:08 EDT 2017
On 16 August 2017 at 12:12, John D. Ament <john.d.ament at gmail.com> wrote:
> KEYCLOAK-5279 isn't asking to split it out. We're dealing with the access
> at a network level, making it so that certain URIs aren't accessible. But
> the ability to hide the fact that it may need to exist is important.
> I think the more relevant ticket is KEYCLOAK-5277, where at least in a
> multitenant fashion the fact that a realm may exist is considered sensitive
> information. The fact that there's a public API that returns 200/404 if a
> realm exists is considered a problem, so having it removed would alleviate
> any concerns in that area.
Firstly, I disagree that exposing if a realm name is a valid realm or not
is not a particular big risk. Folks can find valid realm names just by
logging in to your apps.
Secondly, there's no way to stop someone from being able to detect if a
realm name is valid or not. Pretty much every endpoint the server has can
tell you that. I assume you're not seriously expecting us to provide some
sort of fake realm where there is none?
> On Tue, Aug 15, 2017 at 1:19 PM Bill Burke <bburke at redhat.com> wrote:
> > The idea of that URL is to expose public information about the realm,
> > i.e. public cert/key and public endpoint urls. If this information is
> > not being used and we have other mechanisms in place, then yeah, remove
> > IMO, the jira you reference is unrelated. Its about shutting down the
> > admin console/API. As far as that goes, it would be cool to split up
> > keycloak into separate subsystems:
> > * backend (required)
> > * admin api/console
> > * account service
> > * authentication/brokering/token endpoints
> > Even have the admin api/console be exposed from a different bind
> > address/port.
> > On 8/15/17 8:00 AM, Stian Thorgersen wrote:
> > > I propose we remove the realm json returned at "/auth/realms/<realm
> > name>"
> > > and just return an empty page
> > >
> > > * It can end-up being visible to end-users - we should rather have a
> > realm
> > > welcome page / SSO landing page here
> > > * It's not used by anything AFAIK
> > > * From time to time people complain about it (
> > > https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's
> > > similar issues reported)
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev