[keycloak-user] Managing the attack surface of Keycloak
John D. Ament
john.d.ament at gmail.com
Fri Jun 3 09:27:23 EDT 2016
Hey,
So, a very high level question, and any insight you guys may have would
help.
We're looking to potentially deploy keycloak as a part of a public cloud
application to support authentication to our applications based on security
settings our tenants may use, which may include talking back to their
internal LDAPs, our LDAP, our database, or their hosted SAML solutions.
We're not looking to expose this UI to them, so they would never need to
login other than visiting the login page to access our applications. Are
there any mitigation strategies for reducing the attack surface of
keycloak? I saw that you had brute force detection available, in addition
to using public/private key pairs to do API authentication. I'm wondering
if there's any more security levels that could be leveraged? Does reducing
the amount of API endpoints accessible publically make sense in this
scenario? If so, what endpoints would need to be there to support
authentication?
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/39ce8e27/attachment.html
More information about the keycloak-user
mailing list