[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"
Stian Thorgersen
sthorger at redhat.com
Fri Aug 18 01:25:25 EDT 2017
My bad, been on holiday to long. It's not in there directly, but rather
then URI for the keys are specified in jwks_uri. So it'll be something like:
http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
One of the main reasons you want to use this is that there can be more than
one public key permitted at any given time due to key rotation support.
On 17 August 2017 at 20:45, Alexey Kazakov <alkazako at redhat.com> wrote:
>
>
> On 08/16/2017 09:46 PM, Stian Thorgersen wrote:
> >
> >
> > On 16 August 2017 at 15:40, Alexey Kazakov <alkazako at redhat.com
> > <mailto:alkazako at redhat.com>> wrote:
> >
> >
> > On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
> > > I propose we remove the realm json returned at
> > "/auth/realms/<realm name>"
> > > and just return an empty page
> > >
> > > * It can end-up being visible to end-users - we should rather
> > have a realm
> > > welcome page / SSO landing page here
> > What is wrong with exposing this json to users?
> >
> >
> > Nothing much really. There's no details there that are sensitive nor
> > can't easily be found out regardless. It doesn't look good if a
> > end-user happens to go to this URL though and is shown some JSON file
> > rather than a HTML page.
> >
> >
> >
> > > * It's not used by anything AFAIK
> >
> > I'm not sure if this endpoint is documented but it can be used by
> > users/clients. For example we use this endpoint to fetch the
> > public key
> > of the realm in openshift.io <http://openshift.io> plus for simple
> > health check. Should
> > something else be used instead?
> >
> >
> > For public keys use:
> > /auth/realms/<realm name>/.well-known/openid-configuration
> >
> > That's what our adapters use and it's a OIDC standard endpoint
>
> Hm.. I don't see any public key in /auth/realms/<realm
> name>/.well-known/openid-configuration
>
> Thanks.
>
> >
> >
> >
> > > * From time to time people complain about it (
> > > https://issues.jboss.org/browse/KEYCLOAK-5279
> > <https://issues.jboss.org/browse/KEYCLOAK-5279> for instance,
> > there's more
> > > similar issues reported)
> > It seems that I don't have access to this issue. What kind of
> problems
> > this endpoint can cause?
> >
> >
> > Folks claim it's a security issue. I disagree with that, but it comes
> > up from time to time.
> >
> >
> >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >
> >
>
>
More information about the keycloak-dev
mailing list