[keycloak-user] Guidelines for protecting Keycloak Endpoints
Aikeaguinea
aikeaguinea at xsmail.com
Tue Apr 12 10:28:28 EDT 2016
+1 for being able to disable exposing admin links to the outside world.
On Tue, Mar 24, 2016, at 6:48 AM, Thomas Darimont wrote:
> Hello group,
>
> I'm about to configure our Web Application Firewall for Keycloak where
> I want to implement
> the following scenario:
>
> CLIENT_ENDPOINTS:
> All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as
> well as the account and
> login/totp/registration/forgot password pages should be accessible
> from the public internet.
>
> ADMIN_ENDPOINTS:
> Admin endpoints like the Admin Console, Admin REST API etc. should
> only be accessible
> from the internal network.
>
> Are there any guidelines for which URL pattern applies to which
> category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
>
> To me, it seems that:
> - "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
> - "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
> Have I missed anything else?
>
> Btw. it turns out that some endpoints (unnecessarily) expose internal
> links like:
> "admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
>
> {
> realm: "my-realm",
> public_key: "...",
> token-service: "
> http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",
> account-service: "http://localhost:8080/auth/realms/my-realm/account",
> admin-api: "http://localhost:8080/auth/admin",
> tokens-not-before: 0
> }
>
> Can this be disabled?
>
> Cheers,
> Thomas
>
--
http://www.fastmail.com - Faster than the air-speed velocity of an
unladen european swallow
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/af51bcad/attachment.html
More information about the keycloak-user
mailing list