[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"

Bill Burke bburke at redhat.com
Tue Aug 15 13:18:57 EDT 2017


The idea of that URL is to expose public information about the realm, 
i.e. public cert/key and public endpoint urls.  If this information is 
not being used and we have other mechanisms in place, then yeah, remove it.

IMO, the jira you reference is unrelated.  Its about shutting down the 
admin console/API.  As far as that goes, it would be cool to split up 
keycloak into separate subsystems:

* backend (required)
* admin api/console
* account service
* authentication/brokering/token endpoints

Even have the admin api/console be exposed from a different bind 
address/port.

On 8/15/17 8:00 AM, Stian Thorgersen wrote:
> I propose we remove the realm json returned at "/auth/realms/<realm name>"
> and just return an empty page
>
> * It can end-up being visible to end-users - we should rather have a realm
> welcome page / SSO landing page here
> * It's not used by anything AFAIK
> * From time to time people complain about it (
> https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's more
> similar issues reported)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list