Those endpoints shouldn't contain any sensitive data. There are not
"signing keys" itself, there are just public keys, which client
applications can download, so they are able to verify access token. Also
endpoint locations provided by .well-known are public, but the endpoints
itself (eg. token endpoint) are properly secured.
It's per OpenID Connect Discovery that endpoint doesn't need to be
secured. It's just needed that endpoint use HTTPS to avoid
man-in-the-middle attacks when attacker would trick the client
application by return incorrect endpoints or public keys.
Do you see anything concrete where exposing those information is
security risk?
Thanks,
Marek
On 10/08/17 11:18, Simon Payne wrote:
Hi,
I have found that .well-known and jwks_uri endpoints are left unsecured
meaning that unauthenticated clients can discover auth server configuration
and signing keys.
surely we should require minimum of basic authentication using client id
and secret?
thanks
Simon.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user