Re: [keycloak-dev] Remove realm json at "/auth/realms/<realm name>"

My bad, been on holiday to long. It's not in there directly, but rather then URI for the keys are specified in jwks_uri. So it'll be something like: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs

One of the main reasons you want to use this is that there can be more than one public key permitted at any given time due to key rotation support. On 17 August 2017 at 20:45, Alexey Kazakov <alkazako(a)redhat.com <mailto:alkazako@redhat.com>> wrote: On 08/16/2017 09:46 PM, Stian Thorgersen wrote: > > > On 16 August 2017 at 15:40, Alexey Kazakov <alkazako(a)redhat.com <mailto:alkazako@redhat.com> > <mailto:alkazako@redhat.com <mailto:alkazako@redhat.com>>> wrote: > > > On 08/15/2017 05:00 AM, Stian Thorgersen wrote: > > I propose we remove the realm json returned at > "/auth/realms/<realm name>" > > and just return an empty page > > > > * It can end-up being visible to end-users - we should rather > have a realm > > welcome page / SSO landing page here > What is wrong with exposing this json to users? > > > Nothing much really. There's no details there that are sensitive nor > can't easily be found out regardless. It doesn't look good if a > end-user happens to go to this URL though and is shown some JSON file > rather than a HTML page. > > > > > * It's not used by anything AFAIK > > I'm not sure if this endpoint is documented but it can be used by > users/clients. For example we use this endpoint to fetch the > public key > of the realm in openshift.io <http://openshift.io> <http://openshift.io> plus for simple > health check. Should > something else be used instead? > > > For public keys use: > /auth/realms/<realm name>/.well-known/openid-configuration > > That's what our adapters use and it's a OIDC standard endpoint Hm.. I don't see any public key in /auth/realms/<realm name>/.well-known/openid-configuration Thanks. > > > > > * From time to time people complain about it ( > > https://issues.jboss.org/browse/KEYCLOAK-5279 <https://issues.jboss.org/browse/KEYCLOAK-5279> > <https://issues.jboss.org/browse/KEYCLOAK-5279 <https://issues.jboss.org/browse/KEYCLOAK-5279>> for instance, > there's more > > similar issues reported) > It seems that I don't have access to this issue. What kind of problems > this endpoint can cause? > > > Folks claim it's a security issue. I disagree with that, but it comes > up from time to time. > > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> <mailto:keycloak-dev@lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>> > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> <mailto:keycloak-dev@lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>> > >