As I understand, the built-in admin-cli client is for REST API access. If it is accessible by all public IP addresses, as is the default, there is a potential security risk. Is it possible to limit its access to a whitelisted IP addresses?
Similarly for the realm-management client.
First: I would personally not expose keycloak directly to attached networks/the internet but use a reverse proxy.
If i understand your question correctly, this would solve your problem as you could delegate all network/IP based access control to the reverse proxy.
If you do not use a reverse proxy, you are also exposing the admin interface (login) to your clientel.
I do have a nginx reverse proxy. I will protect those end points with the proxy then. Thanks for the advice.
Looks like what we need to do is to match “client_id=admin-cli” in the query string, and limit the source IP when matched. It turns out this is not straightforward with nginx.
PS: This is the types of access that should be protected:
curl --silent -X POST
"${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=admin-cli" \
-d "username=admin" \
-d “password=….." \
-d 'grant_type=password
Anyway to do this types of protection inside keycloak?