Re: [keycloak-dev] Remove realm json at "/auth/realms/<realm name>"
On 16 August 2017 at 15:40, Alexey Kazakov <alkazako(a)redhat.com> wrote:
On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
> I propose we remove the realm json returned at "/auth/realms/<realm
name>"
> and just return an empty page
>
> * It can end-up being visible to end-users - we should rather have a
realm
> welcome page / SSO landing page here
What is wrong with exposing this json to users?
Nothing much really. There's no details there that are sensitive nor can't
easily be found out regardless. It doesn't look good if a end-user happens
to go to this URL though and is shown some JSON file rather than a HTML
page.
> * It's not used by anything AFAIK
I'm not sure if this endpoint is documented but it can be used by
users/clients. For example we use this endpoint to fetch the public key
of the realm in openshift.io plus for simple health check. Should
something else be used instead?
For public keys use:
/auth/realms/<realm name>/.well-known/openid-configuration
That's what our adapters use and it's a OIDC standard endpoint
> * From time to time people complain about it (
> https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's more
> similar issues reported)
It seems that I don't have access to this issue. What kind of problems
this endpoint can cause?
Folks claim it's a security issue. I disagree with that, but it comes up
from time to time.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev