Valtik Studios
Back to blog
KeycloakmediumUpdated 2026-04-17orig. 2026-01-1211 min

Keycloak: Realm Configuration Tells You Everything

Keycloak is enterprise identity and access management. And a high-value target. Publicly exposed realms, enabled self-registration, and console access lead to full SSO compromise. A penetration testing guide to IAM security audits and incident response.

Phillip (Tre) Bucchi headshot
Phillip (Tre) Bucchi·Founder, Valtik Studios. Penetration Tester

Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.

The Keycloak endpoints that show more than you think

Open up your Keycloak deployment's URL. Add /realms/master/.well-known/openid-configuration at the end. Hit it from your phone on cellular data. No auth. You just pulled the complete authentication architecture of your Keycloak deployment from a network the deployment has never seen before.

This is by design. The OIDC specification requires the discovery endpoint to be public. What the spec doesn't say is that most teams configure Keycloak with verbose realm details, admin URLs exposed, and realm names that disclose internal naming conventions.

Every Keycloak audit we run starts with enumerating what the public endpoints reveal. The amount of information is substantial.

What the OIDC discovery endpoint reveals

GET /realms/{realm}/.well-known/openid-configuration returns:
  • All supported grant types. tells attackers which auth flows are available
  • Token endpoint. where to exchange credentials for tokens
  • JWKS URI. The public keys used to sign tokens
  • Supported scopes. what data the tokens can access
  • Registration endpoint. whether self-registration is enabled

The admin console

Keycloak's admin console at /admin/ is a full React application. Even without valid credentials, loading the page reveals the Keycloak version (in the HTML), the available realms (via the realm selector). And the authentication flows configured for the admin console itself.

User self-registration

If self-registration is enabled on a realm, anyone can create an account at /realms/{realm}/account/. Combined with the OIDC configuration, an attacker can create a valid account and then use it to probe the application's authorization model.

How we detect this

Our scanner:

  1. Probes common realm names (master, app, production, etc.)
  2. Fetches the OIDC configuration for each discovered realm
  3. Checks if the admin console is accessible
  4. Tests self-registration on each realm

Defense

  • Restrict admin console access by IP or VPN
  • Disable self-registration unless explicitly needed
  • Never use "master" as your production realm name. Set a non-default name per environment.
  • Put Keycloak behind a reverse proxy that blocks /admin/ from external access
keycloakiamssopenetration testingidentity securityvulnerability assessmentcomplianceresearch

Want us to check your Keycloak setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Get new research in your inbox
No spam. No newsletter filler. Only new posts as they publish.
Related Services
SOC 2 Readiness Assessment
Learn more →
Related Reading
MongoDB12 min
MongoDB: The Database That Ships Without a Lock
MongoDB deployed with --bind_ip 0.0.0.0 and no authentication is still being indexed by Shodan in 2026. The ransomware groups know it. A rem
AWS15 min
AWS IMDS Attacks: SSRF to Role Credentials to Full Account Compromise
The Capital One breach ($190M settlement) exploited a textbook IMDSv1 SSRF attack to exfiltrate 106 million customer records. A deep dive in
Healthcare13 min
Healthcare Ransomware in 2026: Why 118 Breaches in Two Months Is a Warning
118 healthcare data breaches in the first two months of 2026. 9.6 million patients affected. Healthcare is now the most targeted industry fo