[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"

Alexey Kazakov alkazako at redhat.com
Wed Aug 16 09:40:24 EDT 2017


On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
> I propose we remove the realm json returned at "/auth/realms/<realm name>"
> and just return an empty page
>
> * It can end-up being visible to end-users - we should rather have a realm
> welcome page / SSO landing page here
What is wrong with exposing this json to users?

> * It's not used by anything AFAIK

I'm not sure if this endpoint is documented but it can be used by
users/clients. For example we use this endpoint to fetch the public key
of the realm in openshift.io plus for simple health check. Should
something else be used instead?

> * From time to time people complain about it (
> https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's more
> similar issues reported)
It seems that I don't have access to this issue. What kind of problems
this endpoint can cause?

> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list