5:48 a.m.
Hello group,
I'm about to configure our Web Application Firewall for Keycloak where I
want to implement
the following scenario:
CLIENT_ENDPOINTS:
All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as well as
the account and
login/totp/registration/forgot password pages should be accessible from the
public internet.
ADMIN_ENDPOINTS:
Admin endpoints like the Admin Console, Admin REST API etc. should only be
accessible
from the internal network.
Are there any guidelines for which URL pattern applies to which category
(CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
To me, it seems that:
- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
Have I missed anything else?
Btw. it turns out that some endpoints (unnecessarily) expose internal links
like:
"admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
{
realm: "my-realm",
public_key: "...",
token-service: "
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect";,
account-service: "http://localhost:8080/auth/realms/my-realm/account",
admin-api: "http://localhost:8080/auth/admin",
tokens-not-before: 0
}
Can this be disabled?
Cheers,
Thomas
8:21 a.m.
On 24/03/16 11:48, Thomas Darimont wrote:
Hello group,
I'm about to configure our Web Application Firewall for Keycloak where
I want to implement
the following scenario:
CLIENT_ENDPOINTS:
All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as
well as the account and
login/totp/registration/forgot password pages should be accessible
from the public internet.
ADMIN_ENDPOINTS:
Admin endpoints like the Admin Console, Admin REST API etc. should
only be accessible
from the internal network.
Are there any guidelines for which URL pattern applies to which
category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
I think that all the stuff related to
admin REST endpoints or admin
console UI is under /auth/admin/* .
For access admin console just from local addresses, we don't support it
AFAIK, but you can achieve it with usage of some custom proxy/filter,
which will reject request coming from external IP address.
For the future, we plan to improve authorization/permissions for admin
console. As part of this, it will be possible to create authorization
rule to limit access just for some IP addresses. Not sure when this is
available though...
Marek
To me, it seems that:
- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
Have I missed anything else?
Btw. it turns out that some endpoints (unnecessarily) expose internal
links like:
"admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
{
realm: "my-realm",
public_key: "...",
token-service:
"http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",
account-service: "http://localhost:8080/auth/realms/my-realm/account",
admin-api: "http://localhost:8080/auth/admin",
tokens-not-before: 0
}
Can this be disabled?
Cheers,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3206
days inactive
3212
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Thomas Darimont