Secure Way to configure KeyCloak URL in client


we have a Vue app using a Spring Boot backend. There are multiple customers running their own instance of the webserver, and running their own keycloak instance.

Currently, at bootstrapping the webApp, it sends a request to te server, and the server sends the url of the keycloak instance. Then, the client uses the JavaScript Library of KeyCloak to do authentication against the url, told from our server.

I think, this is a not very secure way. Imagine, a hacker is able to send an manipulated URL to the client. Then our client accepts this manipulated URL, and the user maybe gets an manipulated version of an login page, stealing their credentials.

But what would be the correct way to tell the client the address of the KeyCloak server?


Having the URL of Keycloak available to the client is not a security hole. You should either configure it in your Javascript, or serve the keycloak.json file for the adapter to automatically load.