[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"

Alexey Kazakov alkazako at redhat.com
Thu Aug 17 14:45:30 EDT 2017 


On 08/16/2017 09:46 PM, Stian Thorgersen wrote:
>
>
> On 16 August 2017 at 15:40, Alexey Kazakov <alkazako at redhat.com
> <mailto:alkazako at redhat.com>> wrote:
>
>
>     On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
>     > I propose we remove the realm json returned at
>     "/auth/realms/<realm name>"
>     > and just return an empty page
>     >
>     > * It can end-up being visible to end-users - we should rather
>     have a realm
>     > welcome page / SSO landing page here
>     What is wrong with exposing this json to users?
>
>
> Nothing much really. There's no details there that are sensitive nor
> can't easily be found out regardless. It doesn't look good if a
> end-user happens to go to this URL though and is shown some JSON file
> rather than a HTML page.
>  
>
>
>     > * It's not used by anything AFAIK
>
>     I'm not sure if this endpoint is documented but it can be used by
>     users/clients. For example we use this endpoint to fetch the
>     public key
>     of the realm in openshift.io <http://openshift.io> plus for simple
>     health check. Should
>     something else be used instead?
>
>
> For public keys use:
> /auth/realms/<realm name>/.well-known/openid-configuration
>
> That's what our adapters use and it's a OIDC standard endpoint

Hm.. I don't see any public key in /auth/realms/<realm
name>/.well-known/openid-configuration

Thanks.

>  
>
>
>     > * From time to time people complain about it (
>     > https://issues.jboss.org/browse/KEYCLOAK-5279
>     <https://issues.jboss.org/browse/KEYCLOAK-5279> for instance,
>     there's more
>     > similar issues reported)
>     It seems that I don't have access to this issue. What kind of problems
>     this endpoint can cause?
>
>
> Folks claim it's a security issue. I disagree with that, but it comes
> up from time to time.
>  
>
>
>     > _______________________________________________
>     > keycloak-dev mailing list
>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>

More information about the keycloak-dev mailing list