One important thing I can think of is if we add support for JWEs we need to
make sure this thing doesn't return token details.
On Thu, 5 Apr 2018, 17:09 Pedro Igor Silva, <psilva(a)redhat.com> wrote:
Nope :)
On Thu, Apr 5, 2018 at 12:03 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> I can see it being helpful in production for debugging purposes. It may
> also be helpful for application developers that are trying to figure out
> what's going on in their apps.
>
> Do you have any actual concerns about it being exposed rather than just
> because it's more stuff to expose ;)
>
> On 5 April 2018 at 16:58, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>
>> To avoid additional endpoints that are not really part of the core
>> functionality. For demo and testing this is very helpful but in production
>> you don't want the server serving such requests and consuming resources.
>>
>> Treat as a "feature" seems more reasonable for me instead of always
have
>> it available.
>>
>> On Thu, Apr 5, 2018 at 11:47 AM, Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> Just to add - we can easily make it a feature that can be
>>> enabled/disabled through the profile stuff, but was just curious to why you
>>> thought it would be needed to disable it.
>>>
>>> On 5 April 2018 at 16:45, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>>>
>>>> Why?
>>>>
>>>> On 5 April 2018 at 16:23, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
>>>>
>>>>> Although very helpful, people may want to disable this when in
>>>>> production.
>>>>>
>>>>> On Thu, Apr 5, 2018 at 9:04 AM, Stian Thorgersen
<sthorger(a)redhat.com
>>>>> > wrote:
>>>>>
>>>>>> I added an example token validator endpoint that I needed for
some
>>>>>> demonstration purposes. Question would this be useful to add
>>>>>> directly to
>>>>>> Keycloak?
>>>>>>
>>>>>> It provides a simple form where you can paste in the base64
token.
>>>>>> It will
>>>>>> then output the header, claims and whether or not the token is
>>>>>> valid. It
>>>>>> uses realm keys to verify the signature so you don't have to
paste
>>>>>> that in
>>>>>> manually (like you do on jwt.io).
>>>>>>
>>>>>> For those to lazy to try it out I've attached a screenshot.
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>