+1 for being able to disable exposing admin links to the outside world.
On Tue, Mar 24, 2016, at 6:48 AM, Thomas Darimont wrote:
Hello group,
I'm about to configure our Web Application Firewall for Keycloak where
I want to implement
the following scenario:
CLIENT_ENDPOINTS:
All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as
well as the account and
login/totp/registration/forgot password pages should be accessible
from the public internet.
ADMIN_ENDPOINTS:
Admin endpoints like the Admin Console, Admin REST API etc. should
only be accessible
from the internal network.
Are there any guidelines for which URL pattern applies to which
category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
To me, it seems that:
- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
Have I missed anything else?
Btw. it turns out that some endpoints (unnecessarily) expose internal
links like:
"admin-api" if you go to:
http://localhost:8080/auth/realms/my-realm/
{
realm: "my-realm",
public_key: "...",
token-service: "
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",
account-service: "http://localhost:8080/auth/realms/my-realm/account",
admin-api: "http://localhost:8080/auth/admin",
tokens-not-before: 0
}
Can this be disabled?
Cheers,
Thomas
- Faster than the air-speed velocity of an
unladen european swallow