So, a very high level question, and any insight you guys may have would help.

We're looking to potentially deploy keycloak as a part of a public cloud application to support authentication to our applications based on security settings our tenants may use, which may include talking back to their internal LDAPs, our LDAP, our database, or their hosted SAML solutions.

We're not looking to expose this UI to them, so they would never need to login other than visiting the login page to access our applications.  Are there any mitigation strategies for reducing the attack surface of keycloak? I saw that you had brute force detection available, in addition to using public/private key pairs to do API authentication.  I'm wondering if there's any more security levels that could be leveraged? Does reducing the amount of API endpoints accessible publically make sense in this scenario?  If so, what endpoints would need to be there to support authentication?

John