I have a configuration centralization issue.
I have a web application who knows keycloak URLs, because issuer URL and other properties are specified on backend server. This web app offers a REST api.
Then I have many desktop application, which are api client of previous mentionned REST api.
In this desktop application, users need to specify Keycloak URL or Keycloak OIDC json adapter configuration.
It’s too technical for users and there is too much config information to fill out.
As These desk application already knows our rest api base URL, I ask me the question if it’s a good practice, in term of security, to expose Keycloak URLs and json adapter configuration from un unsecure endpoint in this app ?