[keycloak-dev] Remove realm json at "/auth/realms/<realm name>"
Alexey Kazakov
alkazako at redhat.com
Fri Aug 18 14:06:42 EDT 2017
On 08/17/2017 10:25 PM, Stian Thorgersen wrote:
> My bad, been on holiday to long. It's not in there directly, but
> rather then URI for the keys are specified in jwks_uri. So it'll be
> something like:
> http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
Ah, OK. That looks good :) We will need to start using this endpoint
instead of the /auth/realms/<realm>
Thanks!
> One of the main reasons you want to use this is that there can be more
> than one public key permitted at any given time due to key rotation
> support.
>
> On 17 August 2017 at 20:45, Alexey Kazakov <alkazako at redhat.com
> <mailto:alkazako at redhat.com>> wrote:
>
>
>
> On 08/16/2017 09:46 PM, Stian Thorgersen wrote:
> >
> >
> > On 16 August 2017 at 15:40, Alexey Kazakov <alkazako at redhat.com
> <mailto:alkazako at redhat.com>
> > <mailto:alkazako at redhat.com <mailto:alkazako at redhat.com>>> wrote:
> >
> >
> > On 08/15/2017 05:00 AM, Stian Thorgersen wrote:
> > > I propose we remove the realm json returned at
> > "/auth/realms/<realm name>"
> > > and just return an empty page
> > >
> > > * It can end-up being visible to end-users - we should rather
> > have a realm
> > > welcome page / SSO landing page here
> > What is wrong with exposing this json to users?
> >
> >
> > Nothing much really. There's no details there that are sensitive nor
> > can't easily be found out regardless. It doesn't look good if a
> > end-user happens to go to this URL though and is shown some JSON
> file
> > rather than a HTML page.
> >
> >
> >
> > > * It's not used by anything AFAIK
> >
> > I'm not sure if this endpoint is documented but it can be
> used by
> > users/clients. For example we use this endpoint to fetch the
> > public key
> > of the realm in openshift.io <http://openshift.io>
> <http://openshift.io> plus for simple
> > health check. Should
> > something else be used instead?
> >
> >
> > For public keys use:
> > /auth/realms/<realm name>/.well-known/openid-configuration
> >
> > That's what our adapters use and it's a OIDC standard endpoint
>
> Hm.. I don't see any public key in /auth/realms/<realm
> name>/.well-known/openid-configuration
>
> Thanks.
>
> >
> >
> >
> > > * From time to time people complain about it (
> > > https://issues.jboss.org/browse/KEYCLOAK-5279
> <https://issues.jboss.org/browse/KEYCLOAK-5279>
> > <https://issues.jboss.org/browse/KEYCLOAK-5279
> <https://issues.jboss.org/browse/KEYCLOAK-5279>> for instance,
> > there's more
> > > similar issues reported)
> > It seems that I don't have access to this issue. What kind
> of problems
> > this endpoint can cause?
> >
> >
> > Folks claim it's a security issue. I disagree with that, but it
> comes
> > up from time to time.
> >
> >
> >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> <mailto:keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>>
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> <mailto:keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> > <https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>>
> >
> >
>
>
More information about the keycloak-dev
mailing list