I think that all the stuff related to admin REST endpoints or admin console UI is under /auth/admin/* .Hello group,
I'm about to configure our Web Application Firewall for Keycloak where I want to implementthe following scenario:
CLIENT_ENDPOINTS:All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as well as the account andlogin/totp/registration/forgot password pages should be accessible from the public internet.
ADMIN_ENDPOINTS:Admin endpoints like the Admin Console, Admin REST API etc. should only be accessiblefrom the internal network.
Are there any guidelines for which URL pattern applies to which category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
To me, it seems that:- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.Have I missed anything else?
Btw. it turns out that some endpoints (unnecessarily) expose internal links like:"admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
{realm: "my-realm",public_key: "...",token-service: "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",account-service: "http://localhost:8080/auth/realms/my-realm/account",admin-api: "http://localhost:8080/auth/admin",tokens-not-before: 0}
Can this be disabled?
Cheers,Thomas
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user