[keycloak-user] discovery and key security

Simon Payne simonpayne58 at gmail.com
Thu Aug 10 05:18:22 EDT 2017


Hi,

I have found that .well-known and jwks_uri endpoints are left unsecured
meaning that unauthenticated clients can discover auth server configuration
and signing keys.

surely we should require minimum of basic authentication using client id
and secret?

thanks

Simon.


More information about the keycloak-user mailing list