Re: [keycloak-dev] Remove realm json at "/auth/realms/<realm name>"

Thursday, 17 August 2017

On 08/16/2017 09:46 PM, Stian Thorgersen wrote:
...

 On 16 August 2017 at 15:40, Alexey Kazakov <alkazako(a)redhat.com
 <mailto:alkazako@redhat.com>> wrote:

     On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
     > I propose we remove the realm json returned at
     "/auth/realms/<realm name>"
     > and just return an empty page
     >
     > * It can end-up being visible to end-users - we should rather
     have a realm
     > welcome page / SSO landing page here
     What is wrong with exposing this json to users?

 Nothing much really. There's no details there that are sensitive nor
 can't easily be found out regardless. It doesn't look good if a
 end-user happens to go to this URL though and is shown some JSON file
 rather than a HTML page.

     > * It's not used by anything AFAIK

     I'm not sure if this endpoint is documented but it can be used by
     users/clients. For example we use this endpoint to fetch the
     public key
     of the realm in openshift.io <http://openshift.io> plus for simple
     health check. Should
     something else be used instead?

 For public keys use:
 /auth/realms/<realm name>/.well-known/openid-configuration

 That's what our adapters use and it's a OIDC standard endpoint 
Hm.. I don't see any public key in /auth/realms/<realm
name>/.well-known/openid-configuration

Thanks.

...

     > * From time to time people complain about it (
     > https://issues.jboss.org/browse/KEYCLOAK-5279
     <https://issues.jboss.org/browse/KEYCLOAK-5279> for instance,
     there's more
     > similar issues reported)
     It seems that I don't have access to this issue. What kind of problems
     this endpoint can cause?

 Folks claim it's a security issue. I disagree with that, but it comes
 up from time to time.

     > _______________________________________________
     > keycloak-dev mailing list
     > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>

     _______________________________________________
     keycloak-dev mailing list
     keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
     https://lists.jboss.org/mailman/listinfo/keycloak-dev
     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [keycloak-dev] Remove realm json at "/auth/realms/<realm name>"