Secure Way to configure KeyCloak URL in client

Vanjana · September 22, 2021, 7:00am

Hey,

we have a Vue app using a Spring Boot backend. There are multiple customers running their own instance of the webserver, and running their own keycloak instance.

Currently, at bootstrapping the webApp, it sends a request to te server, and the server sends the url of the keycloak instance. Then, the client uses the JavaScript Library of KeyCloak to do authentication against the url, told from our server.

I think, this is a not very secure way. Imagine, a hacker is able to send an manipulated URL to the client. Then our client accepts this manipulated URL, and the user maybe gets an manipulated version of an login page, stealing their credentials.

But what would be the correct way to tell the client the address of the KeyCloak server?

Thanks

xgp · September 22, 2021, 9:55am

Having the URL of Keycloak available to the client is not a security hole. You should either configure it in your Javascript, or serve the keycloak.json file for the adapter to automatically load.

Topic		Replies	Views
How to call keycloak protected rest api from front end	4	4027	October 19, 2020
Marry two keycloak clients Securing applications authentication	0	547	May 19, 2020
frontendUrl propert doesnt work	8	2048	October 25, 2020
Using keycloak in Vue3, but not on startup Getting advice	1	1074	August 23, 2021
How to setup a client to use the backend URL instead of the frontend URL? Configuring the server	2	2071	June 20, 2022

Secure Way to configure KeyCloak URL in client

Related Topics