Wildcards in issuer?

22 views
Skip to first unread message

Doug Whitfield

unread,
Jul 14, 2021, 2:35:34 PM7/14/21
to Keycloak User
Is it possible to have a wildcard in an issuer URL? I see lots of information about wildcards in redirect URLs, but nothing about issuers. Basically, we'd like to accept issuers something like this:

*.auth.company.com

where those would match server1.auth.company.com and server2.auth.company.com.

I can see some obvious security downsides to doing things this way, but at the same time, if we have someone on the other side of the firewall messing with DNS, then we already have big issues. In any case, it's not my decision on how this will ultimately get implemented.

Part of the problem with wildcards in redirect URLs, is it wouldn't work anyway per https://issues.redhat.com/browse/KEYCLOAK-14071

Does anybody have thoughts on this? Do we just need a something sitting in front of the keycloak servers? I would think there could be latency issues with servers all over the globe, but I haven't thought through that scenario completely.

Thanks!
Doug
Reply all
Reply to author
Forward
0 new messages