<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 24/03/16 11:48, Thomas Darimont
wrote:<br>
</div>
<blockquote
cite="mid:CAK-7U1i3oo-8=LiYhM7QUBvtZ1T_NPSJG0TjzxiYsL7yrTRyTQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hello group,</div>
<div><br>
</div>
<div>I'm about to configure our Web Application Firewall for
Keycloak where I want to implement</div>
<div>the following scenario:</div>
<div><br>
</div>
<div>CLIENT_ENDPOINTS:</div>
<div>All endpoints needed for Web SSO via OAuth 2.0 / OpenID
Connect, as well as the account and </div>
<div>login/totp/registration/forgot password pages should be
accessible from the public internet.</div>
<div><br>
</div>
<div>ADMIN_ENDPOINTS:</div>
<div>Admin endpoints like the Admin Console, Admin REST API etc.
should only be accessible </div>
<div>from the internal network.</div>
<div><br>
</div>
<div>Are there any guidelines for which URL pattern applies to
which category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?</div>
</div>
</blockquote>
I think that all the stuff related to admin REST endpoints or admin
console UI is under /auth/admin/* .<br>
<br>
For access admin console just from local addresses, we don't support
it AFAIK, but you can achieve it with usage of some custom
proxy/filter, which will reject request coming from external IP
address.<br>
<br>
For the future, we plan to improve authorization/permissions for
admin console. As part of this, it will be possible to create
authorization rule to limit access just for some IP addresses. Not
sure when this is available though...<br>
<br>
Marek<br>
<blockquote
cite="mid:CAK-7U1i3oo-8=LiYhM7QUBvtZ1T_NPSJG0TjzxiYsL7yrTRyTQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>To me, it seems that:</div>
<div>- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.</div>
<div>- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS
category.</div>
<div>Have I missed anything else?</div>
<div><br>
</div>
<div>Btw. it turns out that some endpoints (unnecessarily)
expose internal links like:</div>
<div>"admin-api" if you go to: <a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/my-realm/">http://localhost:8080/auth/realms/my-realm/</a></div>
<div><br>
</div>
<div>{</div>
<div>realm: "my-realm",</div>
<div>public_key: "...",</div>
<div>token-service: "<a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/my-realm/protocol/openid-connect">http://localhost:8080/auth/realms/my-realm/protocol/openid-connect</a>",</div>
<div>account-service: "<a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/my-realm/account">http://localhost:8080/auth/realms/my-realm/account</a>",</div>
<div>admin-api: "<a moz-do-not-send="true"
href="http://localhost:8080/auth/admin">http://localhost:8080/auth/admin</a>", </div>
<div>tokens-not-before: 0</div>
<div>}</div>
<div><br>
</div>
<div>Can this be disabled?</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>