[keycloak-user] discovery and key security
Marek Posolda
mposolda at redhat.com
Mon Aug 14 02:55:13 EDT 2017
Those endpoints shouldn't contain any sensitive data. There are not
"signing keys" itself, there are just public keys, which client
applications can download, so they are able to verify access token. Also
endpoint locations provided by .well-known are public, but the endpoints
itself (eg. token endpoint) are properly secured.
It's per OpenID Connect Discovery that endpoint doesn't need to be
secured. It's just needed that endpoint use HTTPS to avoid
man-in-the-middle attacks when attacker would trick the client
application by return incorrect endpoints or public keys.
Do you see anything concrete where exposing those information is
security risk?
Thanks,
Marek
On 10/08/17 11:18, Simon Payne wrote:
> Hi,
>
> I have found that .well-known and jwks_uri endpoints are left unsecured
> meaning that unauthenticated clients can discover auth server configuration
> and signing keys.
>
> surely we should require minimum of basic authentication using client id
> and secret?
>
> thanks
>
> Simon.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list