Re: [keycloak-dev] Remove realm json at "/auth/realms/<realm name>"
KEYCLOAK-5279 isn't asking to split it out. We're dealing with the access
at a network level, making it so that certain URIs aren't accessible. But
the ability to hide the fact that it may need to exist is important.
I think the more relevant ticket is KEYCLOAK-5277, where at least in a
multitenant fashion the fact that a realm may exist is considered sensitive
information. The fact that there's a public API that returns 200/404 if a
realm exists is considered a problem, so having it removed would alleviate
any concerns in that area.
On Tue, Aug 15, 2017 at 1:19 PM Bill Burke <bburke(a)redhat.com> wrote:
The idea of that URL is to expose public information about the
realm,
i.e. public cert/key and public endpoint urls. If this information is
not being used and we have other mechanisms in place, then yeah, remove it.
IMO, the jira you reference is unrelated. Its about shutting down the
admin console/API. As far as that goes, it would be cool to split up
keycloak into separate subsystems:
* backend (required)
* admin api/console
* account service
* authentication/brokering/token endpoints
Even have the admin api/console be exposed from a different bind
address/port.
On 8/15/17 8:00 AM, Stian Thorgersen wrote:
> I propose we remove the realm json returned at "/auth/realms/<realm
name>"
> and just return an empty page
>
> * It can end-up being visible to end-users - we should rather have a
realm
> welcome page / SSO landing page here
> * It's not used by anything AFAIK
> * From time to time people complain about it (
> https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's more
> similar issues reported)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev