
<!DOCTYPE html>

<html>

<head>

<title></title>

</head>

<body><div>+1 for being able to disable  exposing admin links to the outside world.<br></div>

<div>&nbsp;</div>

<div>&nbsp;</div>

<div>On Tue, Mar 24, 2016, at 6:48 AM, Thomas Darimont wrote:<br></div>

<blockquote type="cite"><div><div><div dir="ltr"><div><span>Hello group,</span><br></div>

<div>&nbsp;</div>

<div><span>I'm about to configure our Web Application Firewall for Keycloak where I want to implement</span><br></div>

<div><span>the following scenario:</span><br></div>

<div>&nbsp;</div>

<div><span>CLIENT_ENDPOINTS:</span><br></div>

<div><span>All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as well as the account and&nbsp;</span><br></div>

<div><span>login/totp/registration/forgot password pages should be accessible from the public internet.</span><br></div>

<div>&nbsp;</div>

<div><span>ADMIN_ENDPOINTS:</span><br></div>

<div><span>Admin endpoints like the Admin Console, Admin REST API etc. should only be accessible&nbsp;</span><br></div>

<div><span>from the internal network.</span><br></div>

<div>&nbsp;</div>

<div><span>Are there any guidelines for which URL pattern applies to which category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?</span><br></div>

<div>&nbsp;</div>

<div><span>To me, it seems that:</span><br></div>

<div><span>- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.</span><br></div>

<div><span>- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.</span><br></div>

<div><span>Have I missed anything else?</span><br></div>

<div>&nbsp;</div>

<div><span>Btw. it turns out that some endpoints (unnecessarily) expose internal links like:</span><br></div>

<div><span>"admin-api" if you go to: <a href="http://localhost:8080/auth/realms/my-realm/"> http://localhost:8080/auth/realms/my-realm/</a></span><br></div>

<div>&nbsp;</div>

<div><span>{</span><br></div>

<div><span>realm: "my-realm",</span><br></div>

<div><span>public_key: "...",</span><br></div>

<div><span>token-service: "<a href="http://localhost:8080/auth/realms/my-realm/protocol/openid-connect">http://localhost:8080/auth/realms/my-realm/protocol/openid-connect</a>",</span><br></div>

<div><span>account-service: "<a href="http://localhost:8080/auth/realms/my-realm/account">http://localhost:8080/auth/realms/my-realm/account</a>",</span><br></div>

<div><span>admin-api: "<a href="http://localhost:8080/auth/admin">http://localhost:8080/auth/admin</a>",&nbsp;</span><br></div>

<div><span>tokens-not-before: 0</span><br></div>

<div><span>}</span><br></div>

<div>&nbsp;</div>

<div><span>Can this be disabled?</span><br></div>

<div>&nbsp;</div>

<div><span>Cheers,</span><br></div>

<div><span>Thomas</span><br></div>

</div>

</div>

</div>

<div>&nbsp;</div>

</blockquote><div>&nbsp;</div>

<pre>

-- 

http://www.fastmail.com - Faster than the air-speed velocity of an

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; unladen european swallow

</pre>

</body>

</html>