Keycloak: Realm Configuration Tells You Everything

By-design public endpoints

Keycloak exposes several endpoints without authentication by design. These are part of the OpenID Connect specification and are intended to be public. The problem is how much information they reveal about your authentication architecture.

What the OIDC discovery endpoint reveals

GET /realms/{realm}/.well-known/openid-configuration returns:

• All supported grant types. tells attackers which auth flows are available
• Token endpoint. where to exchange credentials for tokens
• JWKS URI. The public keys used to sign tokens
• Supported scopes. what data the tokens can access
• Registration endpoint. whether self-registration is enabled

The admin console

Keycloak's admin console at /admin/ is a full React application. Even without valid credentials, loading the page reveals the Keycloak version (in the HTML), the available realms (via the realm selector), and the authentication flows configured for the admin console itself.

User self-registration

If self-registration is enabled on a realm, anyone can create an account at /realms/{realm}/account/. Combined with the OIDC configuration, an attacker can create a valid account and then use it to probe the application's authorization model.

How we detect this

Our scanner:

1. Probes common realm names (master, app, production, etc.)
2. Fetches the OIDC configuration for each discovered realm
3. Checks if the admin console is accessible
4. Tests self-registration on each realm

Defense

• Restrict admin console access by IP or VPN
• Disable self-registration unless explicitly needed
• Never use "master" as your production realm name. Set a non-default name per environment.
• Put Keycloak behind a reverse proxy that blocks /admin/ from external access