I’m an auditor and currently checking our company web app that will be public.
I found files keycloak.js and keycloak.json in the app folder. Both can be viewed in browser. The json has parameters realm, auth-server-url, ssl-required, resource, credentials, use-resource-role-mappings.
Should this be exposed? Our devs say it is needed to connect to Keycloak and should be exposed. In my point of view, it has “credentials” and “secret” on it like a password and should not be exposed. Can this be used maliciously? But I am not familiar with Keycloak’s inner workings yet. If this is Oauth spec, is this related to client-id and client-secret implementation?
I need some opinions on this. Can you also point me to documentations regarding this?