Re: [keycloak-dev] Remove realm json at "/auth/realms/<realm name>"
On 16 August 2017 at 12:12, John D. Ament <john.d.ament(a)gmail.com> wrote:
KEYCLOAK-5279 isn't asking to split it out. We're dealing
with the access
at a network level, making it so that certain URIs aren't accessible. But
the ability to hide the fact that it may need to exist is important.
I think the more relevant ticket is KEYCLOAK-5277, where at least in a
multitenant fashion the fact that a realm may exist is considered sensitive
information. The fact that there's a public API that returns 200/404 if a
realm exists is considered a problem, so having it removed would alleviate
any concerns in that area.
Firstly, I disagree that exposing if a realm name is a valid realm or not
is not a particular big risk. Folks can find valid realm names just by
logging in to your apps.
Secondly, there's no way to stop someone from being able to detect if a
realm name is valid or not. Pretty much every endpoint the server has can
tell you that. I assume you're not seriously expecting us to provide some
sort of fake realm where there is none?
On Tue, Aug 15, 2017 at 1:19 PM Bill Burke <bburke(a)redhat.com> wrote:
> The idea of that URL is to expose public information about the realm,
> i.e. public cert/key and public endpoint urls. If this information is
> not being used and we have other mechanisms in place, then yeah, remove
it.
>
> IMO, the jira you reference is unrelated. Its about shutting down the
> admin console/API. As far as that goes, it would be cool to split up
> keycloak into separate subsystems:
>
> * backend (required)
> * admin api/console
> * account service
> * authentication/brokering/token endpoints
>
> Even have the admin api/console be exposed from a different bind
> address/port.
>
> On 8/15/17 8:00 AM, Stian Thorgersen wrote:
> > I propose we remove the realm json returned at "/auth/realms/<realm
> name>"
> > and just return an empty page
> >
> > * It can end-up being visible to end-users - we should rather have a
> realm
> > welcome page / SSO landing page here
> > * It's not used by anything AFAIK
> > * From time to time people complain about it (
> > https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's
more
> > similar issues reported)
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev