[keycloak-user] Guidelines for protecting Keycloak Endpoints
Thomas Darimont
thomas.darimont at googlemail.com
Thu Mar 24 06:48:50 EDT 2016
Hello group,
I'm about to configure our Web Application Firewall for Keycloak where I
want to implement
the following scenario:
CLIENT_ENDPOINTS:
All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as well as
the account and
login/totp/registration/forgot password pages should be accessible from the
public internet.
ADMIN_ENDPOINTS:
Admin endpoints like the Admin Console, Admin REST API etc. should only be
accessible
from the internal network.
Are there any guidelines for which URL pattern applies to which category
(CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
To me, it seems that:
- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
Have I missed anything else?
Btw. it turns out that some endpoints (unnecessarily) expose internal links
like:
"admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
{
realm: "my-realm",
public_key: "...",
token-service: "
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",
account-service: "http://localhost:8080/auth/realms/my-realm/account",
admin-api: "http://localhost:8080/auth/admin",
tokens-not-before: 0
}
Can this be disabled?
Cheers,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/de0b5f29/attachment.html
More information about the keycloak-user
mailing list