[keycloak-user] Guidelines for protecting Keycloak Endpoints

Marek Posolda mposolda at redhat.com
Wed Mar 30 09:21:52 EDT 2016


On 24/03/16 11:48, Thomas Darimont wrote:
> Hello group,
>
> I'm about to configure our Web Application Firewall for Keycloak where 
> I want to implement
> the following scenario:
>
> CLIENT_ENDPOINTS:
> All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as 
> well as the account and
> login/totp/registration/forgot password pages should be accessible 
> from the public internet.
>
> ADMIN_ENDPOINTS:
> Admin endpoints like the Admin Console, Admin REST API etc. should 
> only be accessible
> from the internal network.
>
> Are there any guidelines for which URL pattern applies to which 
> category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
I think that all the stuff related to admin REST endpoints or admin 
console UI is under /auth/admin/* .

For access admin console just from local addresses, we don't support it 
AFAIK, but you can achieve it with usage of some custom proxy/filter, 
which will reject request coming from external IP address.

For the future, we plan to improve authorization/permissions for admin 
console. As part of this, it will be possible to create authorization 
rule to limit access just for some IP addresses. Not sure when this is 
available though...

Marek
>
> To me, it seems that:
> - "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
> - "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
> Have I missed anything else?
>
> Btw. it turns out that some endpoints (unnecessarily) expose internal 
> links like:
> "admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
>
> {
> realm: "my-realm",
> public_key: "...",
> token-service: 
> "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",
> account-service: "http://localhost:8080/auth/realms/my-realm/account",
> admin-api: "http://localhost:8080/auth/admin",
> tokens-not-before: 0
> }
>
> Can this be disabled?
>
> Cheers,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/e68b163a/attachment.html 


More information about the keycloak-user mailing list