[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"

Stian Thorgersen sthorger at redhat.com
Thu Aug 17 00:46:17 EDT 2017


On 16 August 2017 at 15:40, Alexey Kazakov <alkazako at redhat.com> wrote:

>
> On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
> > I propose we remove the realm json returned at "/auth/realms/<realm
> name>"
> > and just return an empty page
> >
> > * It can end-up being visible to end-users - we should rather have a
> realm
> > welcome page / SSO landing page here
> What is wrong with exposing this json to users?
>

Nothing much really. There's no details there that are sensitive nor can't
easily be found out regardless. It doesn't look good if a end-user happens
to go to this URL though and is shown some JSON file rather than a HTML
page.


>
> > * It's not used by anything AFAIK
>
> I'm not sure if this endpoint is documented but it can be used by
> users/clients. For example we use this endpoint to fetch the public key
> of the realm in openshift.io plus for simple health check. Should
> something else be used instead?
>

For public keys use:
/auth/realms/<realm name>/.well-known/openid-configuration

That's what our adapters use and it's a OIDC standard endpoint


>
> > * From time to time people complain about it (
> > https://issues.jboss.org/browse/KEYCLOAK-5279 for instance, there's more
> > similar issues reported)
> It seems that I don't have access to this issue. What kind of problems
> this endpoint can cause?
>

Folks claim it's a security issue. I disagree with that, but it comes up
from time to time.


>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list